Blog·Tanky WooABOUTRSS

Linux sudo and su

02 Mar 2015

su - change user ID or become superuser


su [options] [username]

su 用来切换用户, 后接需要切换的用户名, 不指定用户时默认切换为root

tankywoo@gentoo-local::~/ » whoami
tankywoo@gentoo-local::~/ » pwd
tankywoo@gentoo-local::~/ » su
root@gentoo-local::tankywoo/ » whoami
root@gentoo-local::tankywoo/ » pwd
root@gentoo-local::tankywoo/ »

The current environment is passed to the new shell. The value of $PATH is reset to /bin:/usr/bin for normal users, or /sbin:/bin:/usr/sbin:/usr/bin for the superuser.

su 不接参数, 切换后会停留在之前的路径, $PATH环境变量会改为上面提到的.

-, -l, --login这个参数是经常用到的(在sudo su -中):

Provide an environment similar to what the user would expect had the user logged in directly.

When - is used, it must be specified as the last su option. The other forms (-l and --login) do not have this restriction.

使用 su - [username] 登录时会使用被登录用户的环境变量.

sudo, sudoedit — execute a command as another user

sudo 是用来以某个用户的身份执行命令

管理哪些用户可以使用sudo, 以及用户可执行的命令等, 是在 /etc/sudoers中配置的, 比如:


表示 tankywoo 用户可以不需要输入(自己的)密码来执行所有命令


users  hosts = (run-as) commands

users 可以在主机 hosts 上以run-as用户身份执行commands

来至gentoo sudo-guide的例子:

# 配置允许swift可以像apache或gorg用户那样执行kill命令
swift   ALL = (apache, gorg) KILL

# 当前为swift用户, 执行如下命令:
sudo -u apache pkill apache

注意这里编辑/etc/sudoers使用visudo命令, 而不要直接用vi编辑, 因为如果语法有误, visudo是会在保存时做检查报错的; 曾经直接用vi编辑保存导致无法使用sudo.


sudo su
sudo su -

如果不加sudo, su切换用户时要输入的是被切换用户的密码, 如果使用了sudo, 则切换时使用的是当前用户自己的密码. 加不加-的区别在上面提到了.

常用例子, 以某个用户身份执行命令:

sudo -u [username] [run command]


# 以newuser身份查看newuser家目录
tankywoo@gentoo-local::~/ » sudo -u newuser ls ~newuser

常用例子, 切换用户:

sudo -u [username] -i
sudo -u [username] [shell path]
sudo -u [username] -s


The -i (simulate initial login) option runs the shell specified by the password database entry of the target user as a login shell. This means that login-specific resource files such as .profile or .login will be read by the shell.

类似与上面su -一样, 都是使用被切换用户自己的环境变量.


`su - [username]` = `sudo -u [username] -i`

参数-s 使用当前环境变量$SHELL作为被切换用户的SHELL, 也可以后接指定SHELL, 如:

$ sudo -u tankywoo /bin/bash


关于 login shell 和 non-login shell

ref to stackexchange:

A login shell is the first process that executes under your user ID when you log in for an interactive session. The login process tells the shell to behave as a login shell with a convention: passing argument 0, which is normally the name of the shell executable, with a - character prepended

ref to man bash - INVOCATION:

A login shell is one whose first character of argument zero is a -, or one started with the --login option.

An interactive shell is one started without non-option arguments and without the -c option whose standard input and error are both connected to terminals (as determined by isatty(3)), or one started with the -i option. PS1 is set and $- includes i if bash is interactive, allowing a shell script or a startup file to test this state.

如果当前是login shell, 则通过:

echo $0

会输出如-[shell name], 以一个横线开始, 或者使用--login选项; 否则是non-login shell.

su -, bash --login