How To Use sudo su

Last Updated 2023-01-10

In Unix-like operating systems, the [.inline-code]su[.inline-code] command is used to temporarily log into another user account and execute commands using its privileges. Like the [.inline-code]sudo[.inline-code] command, it is generally used to execute commands as the superuser (also known as the "root" user). The difference in [.inline-code]su[.inline-code] vs. [.inline-code]sudo[.inline-code] resides in the fact that the [.inline-code]su[.inline-code] command gives access to an interactive shell session, whereas the [.inline-code]sudo[.inline-code] command only allows to execute one command at a time.

In this article, we’ll explain why these two commands are often combined together in order to access a root shell, and how to run [.inline-code]sudo[.inline-code] commands without having to type in the user password.

[#spawn-root-shell-with-su]Spawning a root shell with the [.inline-code]su[.inline-code] command[#spawn-root-shell-with-su]

When called with no user specified, the [.inline-code]su[.inline-code] command will attempt to run an interactive shell as root, prompting you to enter the root password.

Since the root account is disabled by default on most Linux distributions —which means that the root password is not set, in order to prevent anyone from directly logging into it—using the [.inline-code]su[.inline-code] command alone will certainly result in an authentication error with a message like [.inline-code]su: Authentication failure[.inline-code]:

[#log-in-as-root-user]Logging in as the root user[#log-in-as-root-user]

To go around this restriction and gain access to a root shell, a user registered on the sudoers list can prepend the [.inline-code]su[.inline-code] command with [.inline-code]sudo[.inline-code], and enter their own password instead of the root password. Note that since the default behavior of [.inline-code]su[.inline-code] is to connect to the root account, executing either [.inline-code]sudo su[.inline-code] or [.inline-code]sudo su root[.inline-code] will both have the same effect.

Once you’ve entered your password, you can confirm that you are logged in as the root user by using the [.inline-code]whoami[.inline-code] command that prints the effective user name of the current session.

From here, you can execute any command that usually requires elevated privileges without having to prefix it with [.inline-code]sudo[.inline-code].

[#how-to-exit-sudo-su]How to exit [.inline-code]sudo su[.inline-code][#how-to-exit-sudo-su]

To terminate the current shell session and come back to the user account you were previously logged in as, you can run the [.inline-code]exit[.inline-code] command.

[#use-sudo-su-for-login-shell]Use [.inline-code]sudo su -[.inline-code] to run a login shell[#use-sudo-su-for-login-shell]

By default, the [.inline-code]su[.inline-code] command will preserve the environment variables and the current working directory of the previous user.

To start the shell as a login shell with an environment similar to a real login, you can use the [.inline-code]-[.inline-code] option:

 $ sudo su -

Which will:

  • Clear all the environment variables except for TERM.
  • Initializes the environment variables HOME, SHELL, USER, LOGNAME and PATH.
  • Change the current directory to the user’s home directory.

[#sudo-su-vs-sudo-su]Don’t confuse [.inline-code]sudo -su[.inline-code] with [.inline-code]sudo su -[.inline-code][#sudo-su-vs-sudo-su]!

Note that the [.inline-code]sudo -su[.inline-code] command differs from [.inline-code]sudo su -[.inline-code] in the sense that the [.inline-code]su[.inline-code] expression will be treated as option flags of the [.inline-code]sudo[.inline-code] command, where the [.inline-code]-s[.inline-code] flag is used to run a new shell, and the [.inline-code]-u[.inline-code] flag is used to run a command as a user different from root.

[#run-sudo-su-without-password]Running [.inline-code]sudo su[.inline-code] without a password[#run-sudo-su-without-password]

By default, a command run with [.inline-code]sudo[.inline-code] requires that the user authenticates themselves using their own password. In some cases, it may be useful to disable this mechanism. For example, when there is only one user account registered on the system, or when an automated script requires elevated privileges to perform certain tasks.

To do so, you can edit the sudoers file located at [.inline-code]/etc/sudoers[.inline-code] using the [.inline-code]visudo[.inline-code] command:

 $ sudo visudo

And prepend the [.inline-code]NOPASSWD[.inline-code] directive separated by a single colon ([.inline-code]:[.inline-code]) to the last argument of the desired user privileges line:


[#troubleshooting-sudo-su]Troubleshooting [.inline-code]sudo su[.inline-code] not working[#troubleshooting-sudo-su]

If the [.inline-code]sudo su[.inline-code] command doesn’t work, the issue is usually caused by two things.

First, you need to make sure that the user account you are using is part of the sudoers list, which can be verified by displaying the content of the [.inline-code]/etc/group[.inline-code] file.

Second, you need to make sure that the [.inline-code]su[.inline-code] command is part of the allowed commands your root account can run, which can be verified by displaying the content of  the [.inline-code]/etc/sudoers[.inline-code] file.