Skip to main content
knuth.info
  1. Posts/
  2. The Solo Stack/
  3. Control Box/

Understanding the difference: su vs sudo

·1055 words·5 mins
The Solo Stack Security Controlbox
Table of Contents
Controlbox - This article is part of a series.
Part 1: Why you should have a secure controlbox?
Part 2: Where should I put my secure controlbox?
Part 3: How to setup your control box
Part 4: This Article
Part 5: Essential Kernel Parameters for Your Debian Control Box

su vs sudo: Choosing the Right Privilege Escalation Method
#

When working with Linux systems, privilege escalation is a fundamental concept that every system administrator and developer must understand. Two primary tools facilitate this process: su (substitute user) and sudo (substitute user do). While both serve similar purposes, they differ significantly in their approach, security implications, and use cases.

Understanding the Basics
#

What is su?
#

The su command allows you to switch to another user account, most commonly the root user. When you use su -, you’re requesting a complete login shell as the target user, inheriting their environment variables and working directory.

su -
# or
su - username

What is sudo?
#

The sudo command enables you to execute specific commands with elevated privileges without switching users entirely. It provides fine-grained control over what commands users can execute and under what circumstances.

sudo command
# or
sudo -u username command

When to Use su
#

Ideal Scenarios for su
#

Extended Administrative Sessions: When you need to perform multiple administrative tasks consecutively, su - provides a more efficient workflow. Rather than prefixing every command with sudo, you can work directly in a root shell.

Legacy System Compatibility: Older systems or scripts that weren’t designed with sudo in mind may require direct root access. Some legacy applications expect to run as root and may not function properly with sudo’s permission model.

Interactive Root Sessions: When troubleshooting complex issues or performing system maintenance that requires extensive root access, a full root shell can be more practical than repeatedly using sudo.

Single-User Environments: On personal systems or development machines where security concerns are minimal, the simplicity of su - might be preferable.

When to Use sudo
#

Ideal Scenarios for sudo
#

Multi-User Environments: In organizations with multiple administrators, sudo provides superior access control and accountability. You can grant specific users permission to run only the commands they need.

Temporary Privilege Escalation: When you need root access for a single command or a brief task, sudo is more appropriate than switching to a root shell entirely.

Automated Scripts and Services: Sudo works better with automation tools and scripts that need occasional elevated privileges without maintaining a persistent root session.

Role-Based Access Control: When different team members need different levels of access, sudo’s configuration system allows for precise permission management.

Security Implications
#

Security Advantages of sudo
#

Accountability and Auditing: Every sudo command is logged with the user who executed it, the command run, and the timestamp. This creates a comprehensive audit trail that’s invaluable for security monitoring and compliance.

Principle of Least Privilege: Sudo allows you to grant users only the minimum privileges necessary for their tasks. A user might be able to restart a web server but not modify system files.

Password Timeout: Sudo caches authentication for a limited time (typically 15 minutes), reducing the need to repeatedly enter passwords while maintaining security.

Command Restrictions: You can restrict users to specific commands or command patterns, preventing accidental or malicious system damage.

Security Concerns with su
#

All-or-Nothing Access: Once you use su -, you have complete root access until you exit the shell. This violates the principle of least privilege and increases the risk of accidental damage.

Limited Audit Trail: While su usage can be logged, it doesn’t provide the same granular command-level auditing that sudo offers.

Password Sharing: Using su often requires sharing the root password among multiple administrators, creating security risks and making it difficult to track individual actions.

Session Persistence: Root shells can be inadvertently left open, creating security vulnerabilities if someone gains access to the terminal.

Configuration and Management
#

sudo Configuration
#

The /etc/sudoers file provides extensive configuration options:

# Allow user to run all commands
username ALL=(ALL:ALL) ALL

# Allow user to run specific commands without password
username ALL=(ALL) NOPASSWD: /bin/systemctl restart apache2

# Allow group members to run administrative commands
%admin ALL=(ALL) ALL

su Configuration
#

Configuration for su is simpler but less flexible, primarily involving:

  • Setting appropriate permissions on the su binary
  • Configuring PAM (Pluggable Authentication Modules) for authentication
  • Managing the root password policy

Best Practices
#

For sudo
#

Regular Auditing: Regularly review sudo logs and permissions to ensure they align with current security policies and job requirements.

Minimal Permissions: Grant users only the specific commands they need rather than blanket administrative access.

Use Groups: Organize users into groups with appropriate sudo permissions rather than managing individual user permissions.

Timeout Configuration: Adjust the sudo timeout based on your security requirements and user workflow needs.

For su
#

Limited Usage: Reserve su for situations where sudo isn’t practical or available.

Session Management: Always exit root shells promptly when finished with administrative tasks.

Environment Awareness: Use su - rather than su to ensure a clean root environment.

Performance Considerations
#

From a performance perspective, both tools have minimal overhead. However, sudo’s logging and permission checking can introduce slight delays, particularly on systems with complex sudoers configurations. For most use cases, this difference is negligible.

Conclusion
#

The choice between su and sudo depends on your specific environment, security requirements, and workflow preferences. In modern multi-user environments, sudo is generally preferred due to its superior security model, auditing capabilities, and fine-grained access control. However, su remains valuable for certain scenarios, particularly in single-user environments or when performing extensive administrative work.

For most organizations, implementing sudo with proper configuration and regular auditing provides the best balance of security, usability, and administrative oversight. The key is understanding both tools’ strengths and limitations to make informed decisions about when and how to use each one.

Remember that security is not just about the tools you use, but how you implement and maintain them. Regular security reviews, proper training, and adherence to the principle of least privilege are essential regardless of which privilege escalation method you choose.

Comparison Table
#

Featuresusudo
Access ModelFull user switchCommand-level execution
Password RequiredTarget user’s passwordCurrent user’s password
Session DurationUntil manual exitPer-command (with timeout)
Audit TrailBasic login/logoutDetailed command logging
Granular PermissionsAll-or-nothingFine-grained control
ConfigurationSimpleComplex but flexible
Multi-user SupportPassword sharing requiredIndividual user management
Security RiskHigher (persistent root)Lower (temporary elevation)
Best forExtended admin sessionsSingle commands/automation
Learning CurveMinimalModerate
Legacy CompatibilityExcellentGood
Principle of Least PrivilegeViolatesSupports
Marcus Knuth
Author
Marcus Knuth
Controlbox - This article is part of a series.
Part 1: Why you should have a secure controlbox?
Part 2: Where should I put my secure controlbox?
Part 3: How to setup your control box
Part 4: This Article
Part 5: Essential Kernel Parameters for Your Debian Control Box

Related