whats the difference between sudo and su?

[scorp123]

does sudo do something that su doesnt?

It jumps out of the session once it's finished, su doesn't per default, it stays in the account you su'd into. A funny combination under Ubuntu is sudo su - ... gives you a root shell

[clem]

su --> login as root
sudo --> run as root

With su you're talking permissions, owners, groups.
With sudo you're talking sudoers, list of people who can run things "without being root" or "having permissions on the files".

Clem

[rfruth]

Here is some su vs sudo info https://help.ubuntu.com/community/RootSudo

[HP Sparks]

Hi,

Nowadays, you have sudo -s to replace su, to access the shell as root.

But, as usual, be careful and have a reliable recent backup of whatever you could damage accidentally...

The main interest, for me, is to be able to execute certain commands failing while just using sudo.
For example, using the echo command to write some text into a file owned by root without changing the ownership nor permissions:

Code: Select all

user@system ~ $ 
user@system ~ $ # This is a comment... It starts with a "#" sign and can be added to command line after placing a ";" to separate both.
user@system ~ $ echo $USER ; # better than "whoami" command.
user
user@system ~ $ ls -l /root/some_test.txt ; # To be sure that /root/some_text.txt does Not exist.
ls: cannot access /root/some_test.txt: No such file or directory
user@system ~ $ sudo echo "some text from $USER" > /root/some_test.txt ; # Tries to write some text into the file and fail...
bash: /root/some_test.txt: Permission denied
user@system ~ $ sudo -s ; # switching to [i]root[/i]'s shell...
system ~ # #
system ~ # # Do take note of the "#" sign replacing the usual "$" sign for other users...
system ~ # #
system ~ # echo $USER ; # better than "whoami" command.
root
system ~ # sudo echo "some text from $USER" > /root/some_test.txt
system ~ # cat /root/some_test.txt
some text from root
system ~ # rm /root/some_test.txt
system ~ # exit ; # Exiting root's shell
exit
user@system ~ $

The reason of failing is that sudo applies to the command/program. Not to the file, which is Not accessible by the current user...
Try the following command in case of doubt: sudo echo $USER, which gives a different result than sudo whoami, while supposed to be "equivalent"... ($USER being a system-managed variable...)

Code: Select all

user@system ~ $
user@system ~ $ sudo echo $USER
user
user@system ~ $ sudo whoami
root
user@system ~ $

Enjoy !

Best regards,
HP_

[ivan-the-idiot]

In practice, using sudo -i and using su - have the same effect. Using sudo to run an application is more like using setuid/setgid permissions on the binary than it is actually becoming root and executing the program.

However... in a shared admin environment where there are multiple admins sudo can be configured to do the following:

Allow only certain applications to be run based on username and/or group membership
Log all uses - so you can see who sudo'd what and when
Log all attempts w/ wrong password - so you can see who tried to do stuff...

This means you can do things like give a web developer access to enable/disable apache or php modules/extensions and restart the webserver, but NOT mess with the rest of the system (on a development box of course - not production), and when they b0rk it you have a log of what commands were run beforehand. Or give a junior admin rights needed to run backups, etc.

[slipstick]

Nowadays, you have sudo -s to replace su, to access the shell as root.

I notice that if I use sudo -s it creates and leaves the file ~/.cache/dconf/user, a 2-byte binary file owned by root. This causes an error when I try to backup using Grsync (permission denied) - I have to manually remove this file before backup if I don't want an error message. If I use instead sudo -i which opens a login shell, then no file owned by root is left behind in ~.

[HP Sparks]

Nowadays, you have sudo -s to replace su, to access the shell as root.

I notice that if I use sudo -s it creates and leaves the file ~/.cache/dconf/user, a 2-byte binary file owned by root. This causes an error when I try to backup using Grsync (permission denied) - I have to manually remove this file before backup if I don't want an error message. If I use instead sudo -i which opens a login shell, then no file owned by root is left behind in ~.

Interesting and worth knowing !
Is that part of sudo program or consequences of its configuration file(s) ?

What else may (or not) be done in the background while using sudo -s in place of sudo - i ?

info sudo gives very little information and a pointer to the /etc/sudoers security policy configuration file.

Code: Select all

...
...
     -i, --login
                 Run the shell specified by the target user's password data‐
                 base entry as a login shell.  This means that login-specific
                 resource files such as .profile or .login will be read by the
                 shell.  If a command is specified, it is passed to the shell
                 for execution via the shell's -c option.  If no command is
                 specified, an interactive shell is executed.  sudo attempts
                 to change to that user's home directory before running the
                 shell.  The command is run with an environment similar to the
                 one a user would receive at log in.  The Command Environment
                 section in the sudoers(5) manual documents how the -i option
                 affects the environment in which a command is run when the
                 sudoers policy is in use.
...
...
     -s, --shell
                 Run the shell specified by the SHELL environment variable if
                 it is set or the shell specified by the invoking user's pass‐
                 word database entry.  If a command is specified, it is passed
                 to the shell for execution via the shell's -c option.  If no
                 command is specified, an interactive shell is executed.

...
...

If someone wants to have a look at the /etc/sudoers file, it is highly recommended to do it using visudo program, to prevent disastrous effects in case of accidental edition, as visudo does specific and necessary syntax checking Not offered by other text editors.

[slipstick]

Here's an answer to a question four years ago that says sudo - i is more secure than sudo -s:

https://unix.stackexchange.com/question ... -sudo-bash

Security aside, it seems to me that sudo with any option should clean up after itself and not leave files owned by root in your home directory. Don't know if that's a bug or just something that I don't understand.