su Command

Switch to another user account or execute commands as a different user with proper authentication.

Syntax

su [OPTIONS] [username] su [OPTIONS] -c command [username]

The su (switch user) command allows you to assume the identity of another user, typically used to gain root privileges or switch between user accounts.

Common Options

Option Description
- or -l Start login shell with target user's environment
-c command Execute specific command as target user
-s shell Use specified shell instead of default
-m or -p Preserve current environment
-g group Specify primary group
-G group Specify supplementary groups
--help Display help information
--version Show version information

Basic Usage

Switching users

# Switch to root user su su root # Switch to specific user su john su alice # Switch with login shell (recommended) su - su - root su - john # Exit back to original user exit

Basic user switching operations

Environment handling

# Login shell with full environment su - username # Preserve current environment su -m username su -p username # Use specific shell su -s /bin/bash username su -s /bin/zsh username # Check current user and environment whoami echo $HOME echo $PATH

Handle user environment when switching

Executing commands

# Execute single command as root su -c "ls /root" su -c "systemctl restart nginx" # Execute command as specific user su -c "whoami" john su -c "ls -la ~" alice # Execute with login environment su - -c "echo \$HOME" su - john -c "cd ~ && pwd" # Multiple commands su -c "cd /var/log && tail -n 10 syslog"

Execute commands as different users without switching

Root Access

Becoming root

# Switch to root (requires root password) su su root su - # Execute root commands su -c "apt update" su -c "systemctl status nginx" su -c "cat /etc/shadow" # Root shell with full environment su - # Now you're root with root's environment whoami # outputs: root pwd # outputs: /root

Gain root privileges for system administration

Root command execution

# System administration tasks su -c "useradd newuser" su -c "usermod -aG sudo john" su -c "passwd alice" # Service management su -c "systemctl start apache2" su -c "systemctl enable mysql" su -c "systemctl reload nginx" # File operations requiring root su -c "chmod 755 /usr/local/bin/myscript" su -c "chown root:root /etc/myconfig" su -c "cp /home/user/config /etc/app/"

Execute administrative commands as root

User Switching Scenarios

Development and testing

# Switch to test user su - testuser # Test application as different user su -c "cd /opt/myapp && ./run_tests.sh" testuser # Check file permissions as user su -c "ls -la /home/testuser/data" testuser # Run application as service user su -c "cd /opt/webapp && python app.py" webapp # Database operations as db user su -c "psql -d mydb -c 'SELECT * FROM users;'" postgres

Switch users for development and testing scenarios

Service account operations

# Switch to service accounts su - www-data su - mysql su - postgres # Execute as service user su -c "ls -la /var/www/html" www-data su -c "mysqldump mydb > backup.sql" mysql su -c "pg_dump mydb > backup.sql" postgres # Check service user environment su - www-data -c "echo \$HOME && echo \$USER" # Run maintenance tasks su -c "/opt/app/maintenance.sh" appuser

Work with service accounts and system users

Security Considerations

Password requirements

# su requires target user's password su john # Requires john's password su root # Requires root password # Only root can su without password # (when already root) sudo su - john # Uses sudo, then su # Check who can use su groups id # su authentication logs sudo tail /var/log/auth.log | grep su

Understanding su authentication requirements

Restricting su access

# Configure su access via PAM # /etc/pam.d/su auth required pam_wheel.so use_uid # Only wheel group members can su to root sudo usermod -aG wheel username # Check wheel group membership getent group wheel # Alternative: use suauth # /etc/suauth root:ALL EXCEPT GROUP wheel:DENY ALL:root:DENY

Restrict and control su access for security

Logging and monitoring

# Monitor su usage sudo tail -f /var/log/auth.log | grep su # Check su attempts sudo grep "su:" /var/log/auth.log # Failed su attempts sudo grep "FAILED su" /var/log/auth.log # Successful su sessions sudo grep "session opened" /var/log/auth.log | grep su # Current su sessions who w

Monitor and log su usage for security auditing

su vs sudo

Key Differences
su (Switch User)
  • Switches to another user completely
  • Requires target user's password
  • Creates new shell session
  • Changes user identity entirely
  • Session lasts until exit
sudo (Super User Do)
  • Executes commands with elevated privileges
  • Uses current user's password
  • Temporary privilege elevation
  • Maintains current user identity
  • Per-command authorization

Comparison examples

# Using su su - # Switch to root completely systemctl restart nginx # Run as root exit # Return to original user # Using sudo sudo systemctl restart nginx # Run single command as root # su with command su -c "systemctl restart nginx" # sudo with shell sudo -i # Interactive root shell sudo su - # Switch to root via sudo # Different user with su su - john -c "whoami" # Different user with sudo sudo -u john whoami

Compare su and sudo usage patterns

Practical Examples

System administration

# User management as root su -c "useradd -m -s /bin/bash newuser" su -c "passwd newuser" su -c "usermod -aG sudo newuser" # File system operations su -c "mount /dev/sdb1 /mnt/backup" su -c "chown -R www-data:www-data /var/www/html" su -c "chmod 755 /usr/local/bin/myscript" # Service management su -c "systemctl enable nginx" su -c "systemctl start mysql" su -c "systemctl reload apache2" # Package management su -c "apt update && apt upgrade -y" su -c "yum install -y httpd"

Common system administration tasks with su

Application deployment

# Deploy as application user su - appuser -c "cd /opt/myapp && git pull origin main" su - appuser -c "cd /opt/myapp && ./deploy.sh" # Database operations su - postgres -c "createdb newapp" su - postgres -c "pg_dump olddb > /backup/olddb.sql" su - mysql -c "mysqldump -u root -p mydb > backup.sql" # Web server operations su - www-data -c "cd /var/www && tar -xzf website.tar.gz" su -c "chown -R www-data:www-data /var/www/newsite" # Log analysis su - syslog -c "tail -f /var/log/application.log"

Application deployment and maintenance with su

Troubleshooting and debugging

# Debug as specific user su - problemuser -c "cd ~ && ls -la" su - problemuser -c "echo \$PATH" su - problemuser -c "which python" # Test permissions su - testuser -c "touch /tmp/test && rm /tmp/test" su - webuser -c "ls -la /var/www/html" # Check user environment su - username -c "env | sort" su - username -c "id && groups" # Process debugging su - appuser -c "ps aux | grep myapp" su - appuser -c "lsof -u appuser"

Troubleshoot issues by switching to affected users

Best Practices

su Usage Best Practices
  • Use su - for full login environment when switching to root
  • Prefer sudo for single commands requiring elevated privileges
  • Always exit su sessions when finished to avoid security risks
  • Use su -c for single commands to avoid staying in elevated session
  • Monitor su usage through system logs for security auditing
  • Restrict su access using PAM configuration and group membership
  • Use strong passwords for accounts that can be su targets
  • Consider disabling root password and using sudo instead
Security Warnings
  • Password exposure - su requires knowing target user's password
  • Session persistence - su sessions remain active until explicitly exited
  • Environment inheritance - Be aware of environment variable inheritance
  • Privilege escalation - Ensure proper access controls are in place
  • Logging gaps - Commands in su sessions may not be fully logged

Troubleshooting

Common Issues and Solutions
  • Authentication failure - Verify target user's password and account status
  • Permission denied - Check if user is allowed to use su (wheel group)
  • Environment issues - Use su - for clean login environment
  • Shell problems - Specify shell with -s option
  • Path issues - Check PATH variable in new user environment

Debugging su issues

# Check user account status sudo passwd -S username sudo chage -l username # Verify user exists getent passwd username id username # Check su permissions groups getent group wheel # Test with verbose logging su -v username # Check authentication logs sudo tail /var/log/auth.log | grep su # Verify shell getent passwd username | cut -d: -f7

Debug and resolve su-related issues

See also