# 02-A.3: su: The Command

## The su Command

Some Linux distros have made the decision to disable the administrative root account by default in all installations. This does not mean that the root account has been deleted or that it may not be accessed. It merely has been given a password which matches no possible encrypted value, therefore may not log in directly by itself. This simply means that root cannot gain access to the system via the login prompt.

Not to fear, there are still tools available to allow users to gain root user privileges. One method is to use the su command. Although su can be used to change the ownership of a session to any user, it is most commonly employed to change the ownership from an ordinary user to the root (i.e., administrative) user, thereby providing access to all parts of and all commands on the computer or system. For this reason, it is often referred to (although somewhat inaccurately) as the superuser command. It is also sometimes called the switch user command.

To use the su command one simply issues:

pbmac@pbmac-server $su username OR pbmac@pbmac-server$ su - username


where username is the user that you desire to switch to. If you do NOT specify a username, it is assumed you are attempting to switch to the root user.

The default behavior of su is to maintain the current directory and the environmental variables of the original user (rather than switch to those of the new user). Although the shell account likewise remains that of the original user, any new, unprivileged user (i.e., users other than root and others with some system privileges) does not gain automatic access to the directories or files of the former owner of the session.

So, a user is logged in as pbmac, and the user issues the command: su bob It will change the UID to that of bob, but it will still be operating under the environment of pbmac's login (notice it did not change the pwd).

BUT

if the users issues the command:

pbmac@pbmac-server \$ su - bob


it changes the pwd, because the environment is now set according to bob's login. We will talk more later about a user's environment.

Sometimes an administrator needs to log in to a user's account as that user. At times, the most efficient way to solve a user's problem is to log into that user's account in order to reproduce or debug the problem.

However, in many situations it is not desirable, or it can even be dangerous, for the root user to be operating from an ordinary user's shell account and with that account's environmental variables rather than from its own. While inadvertently using an ordinary user's shell account, root could install a program or make other changes to the system that would not have the same result as if they were made while using the root account. For instance, a program could be installed that could give the ordinary user power to accidentally damage the system or gain unauthorized access to certain data.

Thus, it is advisable that administrative users, as well as any other users that are authorized to use su (of which there should be very few, if any), acquire the habit of always following the su command with a space and then a hyphen. The hyphen has two effects: (1) it switches the current directory to the home directory of the new user (e.g., to /root in the case of the root user) and (2) it changes the environmental variables to those of the new user. That is, if the first argument to su is a hyphen, the current directory and environment will be changed to what would be expected if the new user had actually logged on to a new session (rather than just taking over an existing session).