whats the difference between sudo and su?

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post please read how to get help
User avatar
jett
Level 2
Level 2
Posts: 65
Joined: Tue Nov 28, 2006 8:43 pm

whats the difference between sudo and su?

Postby jett » Mon Jan 15, 2007 5:45 pm

they seem to do the same thing.
when you log into su dont you have total control?
or does sudo do something that su doesnt?

User avatar
scorp123
Level 8
Level 8
Posts: 2264
Joined: Sat Dec 02, 2006 4:19 pm
Location: Switzerland

Re: whats the difference between sudo and su?

Postby scorp123 » Mon Jan 15, 2007 6:19 pm

jett wrote:does sudo do something that su doesnt?
It jumps out of the session once it's finished, su doesn't per default, it stays in the account you su'd into. A funny combination under Ubuntu is sudo su - ... gives you a root shell 8)

User avatar
clem
Level 15
Level 15
Posts: 5662
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Postby clem » Tue Jan 16, 2007 9:09 am

su --> login as root
sudo --> run as root

With su you're talking permissions, owners, groups.
With sudo you're talking sudoers, list of people who can run things "without being root" or "having permissions on the files".

Clem

User avatar
rfruth
Level 1
Level 1
Posts: 47
Joined: Mon Jan 15, 2007 11:53 am
Location: Texas (USA)
Contact:

Postby rfruth » Tue Jan 16, 2007 11:06 pm

Here is some su vs sudo info https://help.ubuntu.com/community/RootSudo

HP Sparks
Level 1
Level 1
Posts: 43
Joined: Wed Feb 03, 2016 3:18 pm
Location: Singapore

Re: whats the difference between sudo and su?

Postby HP Sparks » Fri May 20, 2016 5:56 pm

Hi,

Nowadays, you have sudo -s to replace su, to access the shell as root.

:!: But, as usual, be careful and have a reliable recent backup of whatever you could damage accidentally... ;-)

The main interest, for me, is to be able to execute certain commands failing while just using sudo.
For example, using the echo command to write some text into a file owned by root without changing the ownership nor permissions:

Code: Select all

user@system ~ $
user@system ~ $ # This is a comment... It starts with a "#" sign and can be added to command line after placing a ";" to separate both.
user@system ~ $ echo $USER ; # better than "whoami" command.
user
user@system ~ $ ls -l /root/some_test.txt ; # To be sure that /root/some_text.txt does Not exist.
ls: cannot access /root/some_test.txt: No such file or directory
user@system ~ $ sudo echo "some text from $USER" > /root/some_test.txt ; # Tries to write some text into the file and fail...
bash: /root/some_test.txt: Permission denied
user@system ~ $ sudo -s ; # switching to [i]root[/i]'s shell...
system ~ # #
system ~ # # Do take note of the "#" sign replacing the usual "$" sign for other users...
system ~ # #
system ~ # echo $USER ; # better than "whoami" command.
root
system ~ # sudo echo "some text from $USER" > /root/some_test.txt
system ~ # cat /root/some_test.txt
some text from root
system ~ # rm /root/some_test.txt
system ~ # exit ; # Exiting root's shell
exit
user@system ~ $


The reason of failing is that sudo applies to the command/program. Not to the file, which is Not accessible by the current user...
Try the following command in case of doubt: sudo echo $USER, which gives a different result than sudo whoami, while supposed to be "equivalent"... ($USER being a system-managed variable...) :!:

Code: Select all

user@system ~ $
user@system ~ $ sudo echo $USER
user
user@system ~ $ sudo whoami
root
user@system ~ $



Enjoy ! ;-)

Best regards,
HP_
Image
- Acer Aspire One Cloudbook 11 (AO1-131-C22E) + LinuxMint 17.3
- Acer Aspire One Cloudbook 14 (AO1-431-C7EJ) + LinuxMint 17.2 (else, can't make use of it under LM17.3 - Cinnamon, due to APIC-related issue(s)... :-/

ivan-the-idiot
Level 2
Level 2
Posts: 91
Joined: Thu Feb 25, 2016 9:59 am

Re: whats the difference between sudo and su?

Postby ivan-the-idiot » Sat May 21, 2016 11:05 am

In practice, using sudo -i and using su - have the same effect. Using sudo to run an application is more like using setuid/setgid permissions on the binary than it is actually becoming root and executing the program.

However... in a shared admin environment where there are multiple admins sudo can be configured to do the following:

Allow only certain applications to be run based on username and/or group membership
Log all uses - so you can see who sudo'd what and when
Log all attempts w/ wrong password - so you can see who tried to do stuff...

This means you can do things like give a web developer access to enable/disable apache or php modules/extensions and restart the webserver, but NOT mess with the rest of the system (on a development box of course - not production), and when they b0rk it you have a log of what commands were run beforehand. Or give a junior admin rights needed to run backups, etc.

User avatar
slipstick
Level 4
Level 4
Posts: 287
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: whats the difference between sudo and su?

Postby slipstick » Tue May 24, 2016 4:27 pm

HP Sparks wrote:Nowadays, you have sudo -s to replace su, to access the shell as root.


I notice that if I use sudo -s it creates and leaves the file ~/.cache/dconf/user, a 2-byte binary file owned by root. This causes an error when I try to backup using Grsync (permission denied) - I have to manually remove this file before backup if I don't want an error message. If I use instead sudo -i which opens a login shell, then no file owned by root is left behind in ~.
In theory, theory and practice are the same. In practice, they ain't.

HP Sparks
Level 1
Level 1
Posts: 43
Joined: Wed Feb 03, 2016 3:18 pm
Location: Singapore

Re: whats the difference between sudo and su?

Postby HP Sparks » Tue May 31, 2016 1:57 am

slipstick wrote:
HP Sparks wrote:Nowadays, you have sudo -s to replace su, to access the shell as root.


I notice that if I use sudo -s it creates and leaves the file ~/.cache/dconf/user, a 2-byte binary file owned by root. This causes an error when I try to backup using Grsync (permission denied) - I have to manually remove this file before backup if I don't want an error message. If I use instead sudo -i which opens a login shell, then no file owned by root is left behind in ~.


Interesting and worth knowing ! ;-)
Is that part of sudo program or consequences of its configuration file(s) ?

What else may (or not) be done in the background while using sudo -s in place of sudo - i ?

info sudo gives very little information and a pointer to the /etc/sudoers security policy configuration file.

Code: Select all

...
...
     -i, --login
                 Run the shell specified by the target user's password data‐
                 base entry as a login shell.  This means that login-specific
                 resource files such as .profile or .login will be read by the
                 shell.  If a command is specified, it is passed to the shell
                 for execution via the shell's -c option.  If no command is
                 specified, an interactive shell is executed.  sudo attempts
                 to change to that user's home directory before running the
                 shell.  The command is run with an environment similar to the
                 one a user would receive at log in.  The Command Environment
                 section in the sudoers(5) manual documents how the -i option
                 affects the environment in which a command is run when the
                 sudoers policy is in use.
...
...
     -s, --shell
                 Run the shell specified by the SHELL environment variable if
                 it is set or the shell specified by the invoking user's pass‐
                 word database entry.  If a command is specified, it is passed
                 to the shell for execution via the shell's -c option.  If no
                 command is specified, an interactive shell is executed.

...
...



:!: If someone wants to have a look at the /etc/sudoers file, it is highly recommended to do it using visudo program, to prevent disastrous effects in case of accidental edition, as visudo does specific and necessary syntax checking Not offered by other text editors.
Image
- Acer Aspire One Cloudbook 11 (AO1-131-C22E) + LinuxMint 17.3
- Acer Aspire One Cloudbook 14 (AO1-431-C7EJ) + LinuxMint 17.2 (else, can't make use of it under LM17.3 - Cinnamon, due to APIC-related issue(s)... :-/

User avatar
slipstick
Level 4
Level 4
Posts: 287
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: whats the difference between sudo and su?

Postby slipstick » Wed Jun 01, 2016 2:16 am

Here's an answer to a question four years ago that says sudo - i is more secure than sudo -s:

https://unix.stackexchange.com/question ... -sudo-bash

Security aside, it seems to me that sudo with any option should clean up after itself and not leave files owned by root in your home directory. Don't know if that's a bug or just something that I don't understand.
In theory, theory and practice are the same. In practice, they ain't.


Return to “Other topics”

Who is online

Users browsing this forum: NewDisciple and 5 guests