The Serpent

// Cursing the Internet since 1998

The Many su's of sudo

Posted March 5, 2022 Linux

For many years, things in the superuser world of Linux were ticking along nicely. Thanks to abilities that allowed us to separate commands meant for important system configuration, and checking our email. However one day back in 2017, it all went and got a little bit more complicated, albeit briefly.

OK, it was mainly a lack of understanding of the changes surrounding commands like sudo and su, and admittedly a whole lot of stubbornness and unwillingness to learn said changes! Eventually I got the hang of it, but to this day I still struggle to remember which is the correct way to gain elevated privileges to Linux depending on the particular system I’m using.

So here’s a quick primer if you’re finding none of your commands work when using su or some other unholy method of trying to get what you want. Since I prefer Debian as my choice in Linux Distro these days (pitchforks down, please) I’ll focus there - but since it’s the daddy of many distributions, these lessons should carry over.

It’s always been about sudo

But of course you wouldn’t have problems if you just did things correctly right?! When it comes to Linux, well yes. sudo is and always has been the way to temporarily elevate privileges in order to run superuser commands. But for lazy admins like me, having to type it every time, really?

admin@some-host:~$ sudo apt-get update
admin@some-host:~$ sudo apt-get upgrade
admin@some-host:~$ sudo systemctl status filebeat
admin@some-host:~$ sudo aghhhh!

It gets… repetitive. Still, it’s the safest way. It ensures you think about what you type - make sure all commands are necessary, correct and don’t format entire file systems.

But what if the Linux box we’re on isn’t a nuclear early warning system or flow regulator for your local hydroelectric dam, and we’re just using a development box that’s going to get blown away in 45 minutes, how can we skip the best practice crap and just let me type stuff which might break the planet?

Using su to get stuff done

If you really want to upset the Linux purists, using su to plough through a bunch of systems commands will probably do it. Before Debian 9, this was easily achieved using just the command su with no parameters. Until one day, something changed.

The implementing of su switched, which caused a number of changes. But they key one being that environment variables (specifically $PATH), were no longer applied when elevating a user.

admin@some-host:~$ su
Password:
root@some-host:/home/admin# ldconfig
bash: ldconfig: command not found

As you can see, on a modern (Debian 9+) system, basic system commands cannot be found. The correct way to use su is:

admin@some-host:~$ su -
Password:
root@some-host:~# ldconfig
root@some-host:~#

The - parameter is short for --login, and effectively copies the environment of the real use to the elevated user. In most cases, this is what you want.

Can sudo do it?

Of course it can, and this is the way you probably should get used to. The equivalent command is sudo -s, which is short for --shell, and also invokes a new shell with the same environment as the real user who invokes it.

The Many su's of sudo
Posted March 5, 2022
Written by John Payne