sudo su "username" vs. su "username"

Please explain me, what is the difference between: sudo su "username" vs. su "username"

Which has higher privileges? If I log into root with sudo su "username", I am root for one command only? So it can be that the beginning of the script works fine, but the rest doesn't? So in this case su "username" is suggested, because it has higher privileges? Please explain me the difference between the 2 commands, thank you.

1 Answer

Here are the differences:

• su <someuser> starts a shell for user someuser. Unless you're root, you'll be asked the password for someuser.
• su (without username) start a shell for user root (after asking for the root password).
• sudo asks for your password and (assuming you have sudo rights) executes a command with root privileges (sudo reboot asks for your password and reboots the computer).
• sudo su <somesuer> executes su with root privileges. So it doesn't ask for someuser's password. It will however ask for your password to verify your sudo rights. After that it will start a shell for user someuser.

In terms of privileges, there is no difference for the shell that is opened by sudo su <someuser> or by su <someuser>. This isn't a security issue, as the shell process can't escalate to the privileges of the parent process.

You can see the difference if you look at the process tree. sudo su <someuser> shows (assuming bash):

+───bash───su───bash

While su <someuser> shows:

+───bash───sudo───su───bash

Your next question is probably how to pass a password in an unattended script, which doesn't require user input. I think there are two options:

• Run the script from cron (or any variant thereof) and run it as root
• Run the script from your own account and use the -S option of sudo like this: echo <yourpassword> | sudo -S su -l <someuser> or even better: echo <yourpassword> | sudo -S su -l <someuser> -c '<somecommand>'. Make sure the script is only readable by yourself, as your password is in it. More indirectly, you can store your password in a file and cat it to sudo. Then your script can be readable, but your password file can't be.