It jumps out of the session once it's finished, su doesn't per default, it stays in the account you su'd into. A funny combination under Ubuntu is sudo su - ... gives you a root shelljett wrote:does sudo do something that su doesnt?
whats the difference between sudo and su?
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Re: whats the difference between sudo and su?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Here is some su vs sudo info https://help.ubuntu.com/community/RootSudo
Re: whats the difference between sudo and su?
Hi,
Nowadays, you have sudo -s to replace su, to access the shell as root.
But, as usual, be careful and have a reliable recent backup of whatever you could damage accidentally...
The main interest, for me, is to be able to execute certain commands failing while just using sudo.
For example, using the echo command to write some text into a file owned by root without changing the ownership nor permissions:
The reason of failing is that sudo applies to the command/program. Not to the file, which is Not accessible by the current user...
Try the following command in case of doubt: sudo echo $USER, which gives a different result than sudo whoami, while supposed to be "equivalent"... ($USER being a system-managed variable...)
Enjoy !
Best regards,
HP_
Nowadays, you have sudo -s to replace su, to access the shell as root.
But, as usual, be careful and have a reliable recent backup of whatever you could damage accidentally...
The main interest, for me, is to be able to execute certain commands failing while just using sudo.
For example, using the echo command to write some text into a file owned by root without changing the ownership nor permissions:
Code: Select all
user@system ~ $
user@system ~ $ # This is a comment... It starts with a "#" sign and can be added to command line after placing a ";" to separate both.
user@system ~ $ echo $USER ; # better than "whoami" command.
user
user@system ~ $ ls -l /root/some_test.txt ; # To be sure that /root/some_text.txt does Not exist.
ls: cannot access /root/some_test.txt: No such file or directory
user@system ~ $ sudo echo "some text from $USER" > /root/some_test.txt ; # Tries to write some text into the file and fail...
bash: /root/some_test.txt: Permission denied
user@system ~ $ sudo -s ; # switching to [i]root[/i]'s shell...
system ~ # #
system ~ # # Do take note of the "#" sign replacing the usual "$" sign for other users...
system ~ # #
system ~ # echo $USER ; # better than "whoami" command.
root
system ~ # sudo echo "some text from $USER" > /root/some_test.txt
system ~ # cat /root/some_test.txt
some text from root
system ~ # rm /root/some_test.txt
system ~ # exit ; # Exiting root's shell
exit
user@system ~ $
Try the following command in case of doubt: sudo echo $USER, which gives a different result than sudo whoami, while supposed to be "equivalent"... ($USER being a system-managed variable...)
Code: Select all
user@system ~ $
user@system ~ $ sudo echo $USER
user
user@system ~ $ sudo whoami
root
user@system ~ $
Enjoy !
Best regards,
HP_
Re: whats the difference between sudo and su?
In practice, using sudo -i and using su - have the same effect. Using sudo to run an application is more like using setuid/setgid permissions on the binary than it is actually becoming root and executing the program.
However... in a shared admin environment where there are multiple admins sudo can be configured to do the following:
Allow only certain applications to be run based on username and/or group membership
Log all uses - so you can see who sudo'd what and when
Log all attempts w/ wrong password - so you can see who tried to do stuff...
This means you can do things like give a web developer access to enable/disable apache or php modules/extensions and restart the webserver, but NOT mess with the rest of the system (on a development box of course - not production), and when they b0rk it you have a log of what commands were run beforehand. Or give a junior admin rights needed to run backups, etc.
However... in a shared admin environment where there are multiple admins sudo can be configured to do the following:
Allow only certain applications to be run based on username and/or group membership
Log all uses - so you can see who sudo'd what and when
Log all attempts w/ wrong password - so you can see who tried to do stuff...
This means you can do things like give a web developer access to enable/disable apache or php modules/extensions and restart the webserver, but NOT mess with the rest of the system (on a development box of course - not production), and when they b0rk it you have a log of what commands were run beforehand. Or give a junior admin rights needed to run backups, etc.
- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: whats the difference between sudo and su?
I notice that if I use sudo -s it creates and leaves the file ~/.cache/dconf/user, a 2-byte binary file owned by root. This causes an error when I try to backup using Grsync (permission denied) - I have to manually remove this file before backup if I don't want an error message. If I use instead sudo -i which opens a login shell, then no file owned by root is left behind in ~.HP Sparks wrote:Nowadays, you have sudo -s to replace su, to access the shell as root.
In theory, theory and practice are the same. In practice, they ain't.
Re: whats the difference between sudo and su?
Interesting and worth knowing !slipstick wrote:I notice that if I use sudo -s it creates and leaves the file ~/.cache/dconf/user, a 2-byte binary file owned by root. This causes an error when I try to backup using Grsync (permission denied) - I have to manually remove this file before backup if I don't want an error message. If I use instead sudo -i which opens a login shell, then no file owned by root is left behind in ~.HP Sparks wrote:Nowadays, you have sudo -s to replace su, to access the shell as root.
Is that part of sudo program or consequences of its configuration file(s) ?
What else may (or not) be done in the background while using
sudo -s
in place of sudo - i
?info sudo
gives very little information and a pointer to the /etc/sudoers security policy configuration file.
Code: Select all
...
...
-i, --login
Run the shell specified by the target user's password data‐
base entry as a login shell. This means that login-specific
resource files such as .profile or .login will be read by the
shell. If a command is specified, it is passed to the shell
for execution via the shell's -c option. If no command is
specified, an interactive shell is executed. sudo attempts
to change to that user's home directory before running the
shell. The command is run with an environment similar to the
one a user would receive at log in. The Command Environment
section in the sudoers(5) manual documents how the -i option
affects the environment in which a command is run when the
sudoers policy is in use.
...
...
-s, --shell
Run the shell specified by the SHELL environment variable if
it is set or the shell specified by the invoking user's pass‐
word database entry. If a command is specified, it is passed
to the shell for execution via the shell's -c option. If no
command is specified, an interactive shell is executed.
...
...
If someone wants to have a look at the /etc/sudoers file, it is highly recommended to do it using
visudo
program, to prevent disastrous effects in case of accidental edition, as visudo does specific and necessary syntax checking Not offered by other text editors.- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: whats the difference between sudo and su?
Here's an answer to a question four years ago that says sudo - i is more secure than sudo -s:
https://unix.stackexchange.com/question ... -sudo-bash
Security aside, it seems to me that sudo with any option should clean up after itself and not leave files owned by root in your home directory. Don't know if that's a bug or just something that I don't understand.
https://unix.stackexchange.com/question ... -sudo-bash
Security aside, it seems to me that sudo with any option should clean up after itself and not leave files owned by root in your home directory. Don't know if that's a bug or just something that I don't understand.
In theory, theory and practice are the same. In practice, they ain't.