UNIX: Switching Users with su
-
The su command was first found in the earliest UNIX system release in 1971 and has been a key part of the user security mechanisms of UNIX ever since. The command stands for "substitute user" although it is commonly referred to as "super user" which is confusing as that is not its functionality. The command is literally used to "switch users."
The use of the su command is simple. Once you are logged into a UNIX machine you simply use the syntax:
su usernameWe would do this in order to change into the identity of any other user, most commonly the root or superuser. For example, if you had logged in as roger, you could use the su command to switch into the account of wilma. Of course, su requires that you know the password of the account into which you want to switch, so the power to su is the same as the power to have logged in as that other account initially, anyway. So there is no security concern here. However, users switching between accounts is extremely rare and increasingly so in the past few decades. In the real world, normal users use su as a means of switching to the root account, likely more than 99% of the time.
There are still very legitimate use cases for user to user account switching. Of course using it to switch to the identity of a different person is not good practice. But having multiple user level accounts for different tasks or for testing is not unheard of and using su makes that simple. So it might be that our user, Roger, has a few accounts: roger, roger-test and roger-accounting. He uses one for his normal day to day work, one when he wants to test account changes that might cause problems and one for when he has to do accounting tasks with elevated but not root level permissions. Using su here can provide for the concept of "least privilege" security in a user to user mode.
The other very common use case for su is the reverse of what is mentioned - for the root account to switch into acting as a user account. This would commonly be done for end user support allowing a system administer to "see what the user sees" and test access or tools as if they were the end user. In the case of the root user becoming a lesser user, there will be no prompt for the password.
The only real "option" that is used with the su command is the hyphen option (no need for flags, there is only the one option.) When used without the hyphen, su simply switches the "identity" of the user. When used with the hyphen a login shell is run giving the user the full environmental experience of the new identity. For this reason, su is almost always used with a hyphen.
su - newuserBy default, if no username is supplied with the command, su assumes that the desired user is the root user. So if you are a normal user and would like to "su to root", and have root's environment, simply:
su -
It is worth noting a very popular use case for su is to use it in combination with the sudo command, which is a much more recent creation but one based on the concepts of su, to allow for escalation to the root account without need for the root password. Here is an example use case:
sudo su -
Part of a series on Linux Systems Administration by Scott Alan Miller
-
That's an interesting option, being able to log into a regular user account without a password.
I always wished I could do that when setting up Windows systems. I have to get the user to log into make those final little changes they like. Would be nice to do that without user intervention.
But isn't that a but of a security risk? Though I am expecting a response from @scottalanmiller saying you have to trust your root user, and that the root user has access anyway.
-
@BRRABill said in UNIX: Switching Users with su:
But isn't that a but of a security risk? Though I am expecting a response from @scottalanmiller saying you have to trust your root user, and that the root user has access anyway.
What is the perceived risk? The root account is not gaining any access that it did not already have. It is only "seeing things through the eyes of the user". There is no additional elevation of privilege here, root is already as elevated as it can be.
-
@scottalanmiller said in UNIX: Switching Users with su:
@BRRABill said in UNIX: Switching Users with su:
But isn't that a but of a security risk? Though I am expecting a response from @scottalanmiller saying you have to trust your root user, and that the root user has access anyway.
What is the perceived risk? The root account is not gaining any access that it did not already have. It is only "seeing things through the eyes of the user". There is no additional elevation of privilege here, root is already as elevated as it can be.
Well, in the Windows world you could not log in to see everything as the user unless you change their password.
Now, you could access all their data, which I guess is 99% the same thing.
-
@BRRABill said in UNIX: Switching Users with su:
@scottalanmiller said in UNIX: Switching Users with su:
@BRRABill said in UNIX: Switching Users with su:
But isn't that a but of a security risk? Though I am expecting a response from @scottalanmiller saying you have to trust your root user, and that the root user has access anyway.
What is the perceived risk? The root account is not gaining any access that it did not already have. It is only "seeing things through the eyes of the user". There is no additional elevation of privilege here, root is already as elevated as it can be.
Well, in the Windows world you could not log in to see everything as the user unless you change their password.
Now, you could access all their data, which I guess is 99% the same thing.
Right, in the Windows world as well you could make a copy of all of their data and settings and apply it to another account that is not theirs and "see" things as them without resetting their password. It is cumbersome, but you can do it. The Windows world has to block directly "seeing" things as a user because its audit trails do not track administrators through a change of that nature. UNIX does and knows what account under the hood is taking actions regardless of what account it "appears" to be on top.
-
Pop quiz: why do you need the dash with su?
-
And why is it sometimes
one dash
and other times
two dashes
for other commands?
-
@BRRABill Exactly! Inquiring minds want to know
-
@BRRABill said in UNIX: Switching Users with su:
And why is it sometimes
one dash
One dash is normally used for "shorthand", or shorted operators for the different programs. IE
ls -ha-h is really --human-readable being passed to ls and
-a is really --all being passed to lsand other times
two dashes
Two dashes are normally "long form", see my previous ls example.
for other commands?
It's really just up to whoever wrote the program. For example, mdadm has lots and lots of optional command line switches. Because of how many long form options mdadm has, very few can be a single letter and still have each option be unique.
I'm sure I've got the details wrong and @scottalanmiller will pipe in sometime soon.
-
@travisdh1 said in UNIX: Switching Users with su:
@BRRABill said in UNIX: Switching Users with su:
And why is it sometimes
one dash
One dash is normally used for "shorthand", or shorted operators for the different programs. IE
ls -ha-h is really --human-readable being passed to ls and
-a is really --all being passed to lsand other times
two dashes
Two dashes are normally "long form", see my previous ls example.
for other commands?
It's really just up to whoever wrote the program. For example, mdadm has lots and lots of optional command line switches. Because of how many long form options mdadm has, very few can be a single letter and still have each option be unique.
I'm sure I've got the details wrong and @scottalanmiller will pipe in sometime soon.
Will | in very soon?
-
@BRRABill said in UNIX: Switching Users with su:
@travisdh1 said in UNIX: Switching Users with su:
@BRRABill said in UNIX: Switching Users with su:
And why is it sometimes
one dash
One dash is normally used for "shorthand", or shorted operators for the different programs. IE
ls -ha-h is really --human-readable being passed to ls and
-a is really --all being passed to lsand other times
two dashes
Two dashes are normally "long form", see my previous ls example.
for other commands?
It's really just up to whoever wrote the program. For example, mdadm has lots and lots of optional command line switches. Because of how many long form options mdadm has, very few can be a single letter and still have each option be unique.
I'm sure I've got the details wrong and @scottalanmiller will pipe in sometime soon.
Will | in very soon?
I'm so puny I don't even know it!
-
@BRRABill said in UNIX: Switching Users with su:
And why is it sometimes
one dash
and other times
two dashes
for other commands?
Because "commands" aren't really what they are. They are independent applications. There are conventions but that is all that they are.
-
@Grey said in UNIX: Switching Users with su:
Pop quiz: why do you need the dash with su?
Still no answers for this... hint: it has to do with environment.
-
@Grey said in UNIX: Switching Users with su:
@Grey said in UNIX: Switching Users with su:
Pop quiz: why do you need the dash with su?
Still no answers for this... hint: it has to do with environment.
Because it provides the user the full environmental experience of the new identity. For this reason, su is almost always used with a hyphen.
-
@DustinB3403 said in UNIX: Switching Users with su:
@Grey said in UNIX: Switching Users with su:
@Grey said in UNIX: Switching Users with su:
Pop quiz: why do you need the dash with su?
Still no answers for this... hint: it has to do with environment.
Because it provides the user the full environmental experience of the new identity. For this reason, su is almost always used with a hyphen.
Exactly! Lots of linux n00bs skip the dash and it's amazing to see the confusion when things just "aren't right" as they're working in the shell.
-
@Grey said in UNIX: Switching Users with su:
Pop quiz: why do you need the dash with su?
That was in the original article.
-
@scottalanmiller said in UNIX: Switching Users with su:
@Grey said in UNIX: Switching Users with su:
Pop quiz: why do you need the dash with su?
That was in the original article.
And I quoted you without quoting you..... see what I did there, I switched a few words
-
S scottalanmiller referenced this topic on
