su Command
Switch to another user account or execute commands as a different user with proper authentication.
Syntax
su [OPTIONS] [username]
su [OPTIONS] -c command [username]
The su (switch user) command allows you to assume the identity of another user, typically used to gain root privileges or switch between user accounts.
Common Options
| Option |
Description |
- or -l |
Start login shell with target user's environment |
-c command |
Execute specific command as target user |
-s shell |
Use specified shell instead of default |
-m or -p |
Preserve current environment |
-g group |
Specify primary group |
-G group |
Specify supplementary groups |
--help |
Display help information |
--version |
Show version information |
Basic Usage
Switching users
# Switch to root user
su
su root
# Switch to specific user
su john
su alice
# Switch with login shell (recommended)
su -
su - root
su - john
# Exit back to original user
exit
Basic user switching operations
Environment handling
# Login shell with full environment
su - username
# Preserve current environment
su -m username
su -p username
# Use specific shell
su -s /bin/bash username
su -s /bin/zsh username
# Check current user and environment
whoami
echo $HOME
echo $PATH
Handle user environment when switching
Executing commands
# Execute single command as root
su -c "ls /root"
su -c "systemctl restart nginx"
# Execute command as specific user
su -c "whoami" john
su -c "ls -la ~" alice
# Execute with login environment
su - -c "echo \$HOME"
su - john -c "cd ~ && pwd"
# Multiple commands
su -c "cd /var/log && tail -n 10 syslog"
Execute commands as different users without switching
Root Access
Becoming root
# Switch to root (requires root password)
su
su root
su -
# Execute root commands
su -c "apt update"
su -c "systemctl status nginx"
su -c "cat /etc/shadow"
# Root shell with full environment
su -
# Now you're root with root's environment
whoami # outputs: root
pwd # outputs: /root
Gain root privileges for system administration
Root command execution
# System administration tasks
su -c "useradd newuser"
su -c "usermod -aG sudo john"
su -c "passwd alice"
# Service management
su -c "systemctl start apache2"
su -c "systemctl enable mysql"
su -c "systemctl reload nginx"
# File operations requiring root
su -c "chmod 755 /usr/local/bin/myscript"
su -c "chown root:root /etc/myconfig"
su -c "cp /home/user/config /etc/app/"
Execute administrative commands as root
User Switching Scenarios
Development and testing
# Switch to test user
su - testuser
# Test application as different user
su -c "cd /opt/myapp && ./run_tests.sh" testuser
# Check file permissions as user
su -c "ls -la /home/testuser/data" testuser
# Run application as service user
su -c "cd /opt/webapp && python app.py" webapp
# Database operations as db user
su -c "psql -d mydb -c 'SELECT * FROM users;'" postgres
Switch users for development and testing scenarios
Service account operations
# Switch to service accounts
su - www-data
su - mysql
su - postgres
# Execute as service user
su -c "ls -la /var/www/html" www-data
su -c "mysqldump mydb > backup.sql" mysql
su -c "pg_dump mydb > backup.sql" postgres
# Check service user environment
su - www-data -c "echo \$HOME && echo \$USER"
# Run maintenance tasks
su -c "/opt/app/maintenance.sh" appuser
Work with service accounts and system users
Security Considerations
Password requirements
# su requires target user's password
su john # Requires john's password
su root # Requires root password
# Only root can su without password
# (when already root)
sudo su - john # Uses sudo, then su
# Check who can use su
groups
id
# su authentication logs
sudo tail /var/log/auth.log | grep su
Understanding su authentication requirements
Restricting su access
# Configure su access via PAM
# /etc/pam.d/su
auth required pam_wheel.so use_uid
# Only wheel group members can su to root
sudo usermod -aG wheel username
# Check wheel group membership
getent group wheel
# Alternative: use suauth
# /etc/suauth
root:ALL EXCEPT GROUP wheel:DENY
ALL:root:DENY
Restrict and control su access for security
Logging and monitoring
# Monitor su usage
sudo tail -f /var/log/auth.log | grep su
# Check su attempts
sudo grep "su:" /var/log/auth.log
# Failed su attempts
sudo grep "FAILED su" /var/log/auth.log
# Successful su sessions
sudo grep "session opened" /var/log/auth.log | grep su
# Current su sessions
who
w
Monitor and log su usage for security auditing
su vs sudo
Key Differences
su (Switch User)
- Switches to another user completely
- Requires target user's password
- Creates new shell session
- Changes user identity entirely
- Session lasts until exit
sudo (Super User Do)
- Executes commands with elevated privileges
- Uses current user's password
- Temporary privilege elevation
- Maintains current user identity
- Per-command authorization
Comparison examples
# Using su
su - # Switch to root completely
systemctl restart nginx # Run as root
exit # Return to original user
# Using sudo
sudo systemctl restart nginx # Run single command as root
# su with command
su -c "systemctl restart nginx"
# sudo with shell
sudo -i # Interactive root shell
sudo su - # Switch to root via sudo
# Different user with su
su - john -c "whoami"
# Different user with sudo
sudo -u john whoami
Compare su and sudo usage patterns
Practical Examples
System administration
# User management as root
su -c "useradd -m -s /bin/bash newuser"
su -c "passwd newuser"
su -c "usermod -aG sudo newuser"
# File system operations
su -c "mount /dev/sdb1 /mnt/backup"
su -c "chown -R www-data:www-data /var/www/html"
su -c "chmod 755 /usr/local/bin/myscript"
# Service management
su -c "systemctl enable nginx"
su -c "systemctl start mysql"
su -c "systemctl reload apache2"
# Package management
su -c "apt update && apt upgrade -y"
su -c "yum install -y httpd"
Common system administration tasks with su
Application deployment
# Deploy as application user
su - appuser -c "cd /opt/myapp && git pull origin main"
su - appuser -c "cd /opt/myapp && ./deploy.sh"
# Database operations
su - postgres -c "createdb newapp"
su - postgres -c "pg_dump olddb > /backup/olddb.sql"
su - mysql -c "mysqldump -u root -p mydb > backup.sql"
# Web server operations
su - www-data -c "cd /var/www && tar -xzf website.tar.gz"
su -c "chown -R www-data:www-data /var/www/newsite"
# Log analysis
su - syslog -c "tail -f /var/log/application.log"
Application deployment and maintenance with su
Troubleshooting and debugging
# Debug as specific user
su - problemuser -c "cd ~ && ls -la"
su - problemuser -c "echo \$PATH"
su - problemuser -c "which python"
# Test permissions
su - testuser -c "touch /tmp/test && rm /tmp/test"
su - webuser -c "ls -la /var/www/html"
# Check user environment
su - username -c "env | sort"
su - username -c "id && groups"
# Process debugging
su - appuser -c "ps aux | grep myapp"
su - appuser -c "lsof -u appuser"
Troubleshoot issues by switching to affected users
Best Practices
su Usage Best Practices
- Use
su - for full login environment when switching to root
- Prefer
sudo for single commands requiring elevated privileges
- Always exit su sessions when finished to avoid security risks
- Use
su -c for single commands to avoid staying in elevated session
- Monitor su usage through system logs for security auditing
- Restrict su access using PAM configuration and group membership
- Use strong passwords for accounts that can be su targets
- Consider disabling root password and using sudo instead
Security Warnings
- Password exposure - su requires knowing target user's password
- Session persistence - su sessions remain active until explicitly exited
- Environment inheritance - Be aware of environment variable inheritance
- Privilege escalation - Ensure proper access controls are in place
- Logging gaps - Commands in su sessions may not be fully logged
Troubleshooting
Common Issues and Solutions
- Authentication failure - Verify target user's password and account status
- Permission denied - Check if user is allowed to use su (wheel group)
- Environment issues - Use
su - for clean login environment
- Shell problems - Specify shell with
-s option
- Path issues - Check PATH variable in new user environment
Debugging su issues
# Check user account status
sudo passwd -S username
sudo chage -l username
# Verify user exists
getent passwd username
id username
# Check su permissions
groups
getent group wheel
# Test with verbose logging
su -v username
# Check authentication logs
sudo tail /var/log/auth.log | grep su
# Verify shell
getent passwd username | cut -d: -f7
Debug and resolve su-related issues