What Does su Mean?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
The 'su' command lets you become another user on a Linux or Unix system. It is most often used to switch to the root user (the superuser) so you can run commands that require higher permissions. You need to know the password of the user you want to become. It's a key tool for system administrators and appears on many IT certification exams.
Commonly Confused With
'sudo' allows a permitted user to execute a command as the superuser or another user, but it requires the user's own password (or no password, if configured). 'su' requires the target user's password and opens a new shell. 'sudo' is more granular because you can allow specific commands to specific users. 'su' gives full root access once authenticated.
To edit a file as root using sudo, you would type: sudo vim /etc/hosts and then enter your own password. To do the same using su, you would type: su -c "vim /etc/hosts" and then enter the root password.
The 'login' command starts a new login session for a user on the system. It is usually run at the beginning of a terminal session. 'su' can also simulate a login session if you use the dash ('su -'), but 'su' is designed for transient privilege escalation, not for initial login. The 'login' command prompts for the username and password, while 'su' already knows the target user from its argument.
If you want to fully log in as root from a text console, you would type 'login root' and then the root password. If you are already logged in as alice and want to become root, you would type 'su -'.
'chsh' changes the default login shell for a user. 'su' does not change the shell permanently; it just opens a new shell session with the environment of the target user. The '-s' option of 'su' can temporarily specify a different shell, but it does not modify the user's record in /etc/passwd.
To temporarily become root using the bash shell even if root's default shell is sh: su -s /bin/bash. To permanently change alice's default shell to zsh: chsh -s /bin/zsh alice.
Must Know for Exams
The 'su' command is directly tested in several major IT certification exams, including CompTIA Linux+ (XK0-005), LPIC-1 (101-500 and 102-500), and Red Hat Certified System Administrator (RHCSA). In CompTIA Linux+, the exam objectives include 'Given a scenario, manage file and directory permissions and ownership', which directly involves switching to the root user to change permissions. The exam also tests the ability to 'execute commands as another user', which covers both 'su' and 'sudo'. Expect questions that ask you to select the correct command to switch to root, to identify the option that creates a login shell, or to troubleshoot why a particular user cannot use 'su'.
In the LPIC-1 exam, Objective 109.5 is 'Manage user and group accounts and related system files'. This objective includes understanding 'su' and its configuration via PAM. Questions often present a scenario where a user needs to temporarily become root to install software. You might be asked which command line will allow the user to become root and stay in root's home directory. The correct answer is 'su -' (with the dash), and the distractors might include 'su', 'su root', or 'sudo su'. Another common question type: given a log file showing failed 'su' attempts, what might the issue be? The answer could be that the user is not in the 'wheel' group or that PAM configuration restricts 'su'.
For the RHCSA exam, 'su' appears in administrative tasks like resetting the root password, configuring network interfaces, or managing services. The exam may require you to switch to root using 'su' or 'sudo' and then perform a series of tasks. Candidates must know the difference between 'su' and 'su -' because the environment can affect the success of subsequent commands. For example, if you use 'su' without the dash and then run 'systemctl restart network', it might fail because the PATH variable does not include /sbin. This nuance is often tested.
In general, exam questions related to 'su' fall into three categories: command syntax (what does 'su -c command' do?), security configuration (which file controls 'su' access via PAM?), and troubleshooting (a user gets 'Authentication failure' when trying to 'su', why?). Mastering these patterns will help you answer confidently. Also note that while 'sudo' is more modern and more frequently recommended, 'su' remains a classic and is still heavily tested.
Simple Meaning
Think of 'su' as a magic ID card that lets you temporarily borrow someone else's access badge. In a company building, if you are a regular employee, you can only get into certain areas. But if your manager gives you their badge and their PIN, you can now get into the server room and the executive offices. That's what 'su' does. It lets you 'switch user' on a computer without having to log out of your own session.
When you type 'su' and then a username, you are asking the system to let you act as that user. If you type just 'su' with no username, the system assumes you want to become the root user, which is like the building's master key holder. The root user can do anything: install software, change system settings, create new user accounts, and even delete critical files (which is dangerous if you are not careful).
The key thing to remember is that you need the password of the user you are switching to. So if you want to become root, you must type the root password. This is different from another command called 'sudo', which lets you run just one command as root by typing your own password. 'su' gives you a whole new shell session as that other user, and it stays active until you type 'exit' to go back to your original identity.
This command is fundamental in Linux administration because it provides a way to perform tasks that require higher privileges. Without 'su', you might need to log out of your regular account and log back in as root every time, which is inefficient. But with great power comes great responsibility: if you accidentally delete system files while using 'su', the damage can be catastrophic. IT professionals learn to use 'su' carefully and to switch back as soon as they are done.
Full Technical Definition
The 'su' (substitute user) command is a standard Unix/Linux utility that allows a user to assume the identity of another user, effectively creating a new shell session with the user ID (UID), group ID (GID), and supplementary group memberships of the target user. It is defined by POSIX and implemented via the PAM (Pluggable Authentication Modules) framework in modern systems. When executed, 'su' performs authentication by requesting the password of the target user (unless run by root, who can switch to anyone without a password).
Behind the scenes, 'su' calls the system functions setuid() and setgid() to change the process credentials. The shell that opens after authentication inherits the environment of the target user, including environment variables like HOME, PATH, SHELL, USER, and LOGNAME. However, by default, 'su' preserves the current working directory and some environment variables, which can lead to unintended behavior if root's environment is expected. The '-' flag (as in 'su -') creates a login shell that completely simulates a fresh login, resetting all environment variables to the target user's default and changing to their home directory.
Key options include: -c, which allows running a single command and then returning to the original user; -s, which specifies a different shell; and -l, which also creates a login-like environment. The command 'su' alone (without a username) defaults to the superuser (root, UID 0). The command 'su [username]' switches to that specific user. Authentication failure results in an error message and does not grant access. Logging of 'su' usage can be configured via PAM and the 'syslog' system, often recorded in /var/log/auth.log or /var/log/secure.
In multi-user environments and enterprise servers, 'su' is often restricted using the 'wheel' group or through PAM configuration files like /etc/pam.d/su. Only users who are members of the 'wheel' group are allowed to use 'su' to switch to root, adding a layer of security. This is a common configuration in Linux distributions like Red Hat Enterprise Linux (RHEL) and CentOS. The 'su' command should not be confused with 'sudo', which follows a different authorization model based on /etc/sudoers file policies and typically does not require the target user's password.
From a security perspective, excessive use of 'su' with root privileges is discouraged on production systems. Instead, system administrators are encouraged to use 'sudo' for individual command execution, which provides an audit trail and limits the scope of elevated privileges. However, 'su' remains essential for interactive administration sessions and is still widely tested on certification exams like CompTIA Linux+, LPIC-1, and Red Hat Certified System Administrator (RHCSA).
Real-Life Example
Imagine a large hospital with different levels of access. You are Dr. Smith, a general practitioner. You have a badge that lets you enter patient rooms and your own office. But one day, you need to update the hospital's central database to correct a patient's allergy record. That database is stored in a locked room that only the system administrator, Dr. Anderson, can enter. You cannot get in with your own badge.
Instead of asking Dr. Anderson to come down and make the change for you (which could take hours), you call him on the phone. He gives you his badge number and his PIN. You go to a special terminal, swipe his badge, and type his PIN. For the next few minutes, you have his access level. You walk into the locked room, make the database change, and then you give the badge back to Dr. Anderson. You are now back to being just Dr. Smith.
In the computer world, Dr. Smith is your regular user account. The locked room is the root account. The badge and PIN are the root password. The 'su' command is the act of using the badge to switch identities. You enter 'su' on the command line, type the root password, and suddenly the system treats you as root. You can now modify system files, install software, or change user permissions. When you're done, you type 'exit', and you are back to your normal user.
The important part is that Dr. Anderson can later check the logs to see who used his badge and at what time. Similarly, the system logs who used 'su' to become root. This provides accountability. The analogy also highlights a security risk: if Dr. Smith writes down Dr. Anderson's PIN and someone else finds it, they could break into the locked room. That is why IT professionals guard the root password carefully and often prefer using 'sudo' instead.
Why This Term Matters
The 'su' command matters because it is a fundamental tool for system administration, security control, and troubleshooting on Linux and Unix-like operating systems. Without the ability to switch users, routine administrative tasks would become cumbersome. For example, if a package requires root privileges to install, you would have to log out of your normal account and log in as root. With 'su', you simply assume root identity from your current session, perform the installation, and then return to your normal user. This workflow is essential for efficiency in environments where multiple users manage a single server.
From a security standpoint, 'su' also helps enforce the principle of least privilege. Regular users should not operate daily with root access because it increases the risk of accidental system damage or security breaches. Instead, they log in as normal users and only use 'su' when a task demands higher privileges. This reduces the window of vulnerability. However, because 'su' requires the root password, it can become a security risk if the root password is shared among many people. That is why many organizations switch to 'sudo' for fine-grained access control, but 'su' remains the classic method.
For IT professionals, understanding 'su' is crucial when you are troubleshooting a system that is not accepting 'sudo' commands, when you need to test a user's environment, or when you are recovering a system that has no other administrative access. In many certification exam scenarios, you will be asked to use 'su' to perform a task as root, or to understand the difference between 'su' and 'su -'. Knowing how to properly use the command and its options can mean the difference between a successful system recovery and an accidental misconfiguration.
the command appears in scripts and automation tasks. A script might use 'su -c' to run a command as another user. Understanding how 'su' handles environment variables and shell initialization is necessary to prevent scripts from failing due to path issues or missing environment settings. In short, 'su' is not just textbook knowledge-it is a daily tool for anyone who works with Linux.
How It Appears in Exam Questions
In certification exams, 'su' typically appears in scenario-based multiple-choice questions, fill-in-the-blank commands, and troubleshooting scenarios. One common pattern is a scenario where a user named jdoe needs to edit a system configuration file that only root can modify. The question may ask: 'Which command should jdoe use to gain root privileges and then edit the file?' The correct answer could be 'su -c "vim /etc/ssh/sshd_config"', but the option might also present 'sudo vim /etc/ssh/sshd_config' as a distractor. You must know the difference: 'sudo' uses the user's own password and is controlled by sudoers, while 'su' requires the root password and runs the command as root.
Another common type is the 'su' vs 'su -' distinction. The exam might present a scenario where a user becomes root but then cannot find the 'shutdown' command even though they are root. The question asks why. The answer is that using 'su' without the dash preserves the original user's PATH, which may not include /sbin or /usr/sbin where the 'shutdown' command resides. Using 'su -' fixes this by resetting the environment to root's default.
Configuration questions also appear frequently. For example, 'A Linux system administrator wants to restrict the use of the su command to only members of the wheel group. Which file should they edit?' The answer is /etc/pam.d/su, and they would uncomment or add the line 'auth required pam_wheel.so'. The exam might give you a PAM configuration snippet and ask you to identify the effect.
Finally, troubleshooting questions often involve log analysis. You might see an excerpt from /var/log/secure showing multiple 'su' failures for user 'jsmith'. The question asks: 'What is the most likely cause?' The possible reasons include: jsmith typed the wrong root password, jsmith is not in the wheel group, or the PAM configuration is blocking jsmith's access. You must be able to differentiate between these possibilities based on the exact error message (e.g., 'Authentication failure' vs. 'Permission denied').
Study CompTIA Linux+
Test your understanding with exam-style practice questions.
Example Scenario
You are a junior Linux administrator at a small company. Your team uses a shared server running Ubuntu Server 22.04. Your regular login account is 'alice'. One morning, your manager asks you to update the system's firewall rules to block a specific IP address that has been scanning the network. The firewall is managed by the 'ufw' command, which requires root privileges.
You are currently logged in as 'alice'. You cannot run 'ufw deny from 10.0.0.99' directly because you lack permission. So you decide to use the 'su' command. You open a terminal and type:
su
The system prompts you for a password. You type the root password (which your manager gave you earlier). After successful authentication, your shell prompt changes from 'alice@server:~$' to 'root@server:/home/alice#'. Notice that you are still in alice's home directory. That is because you used 'su' without a dash.
Now you run 'ufw deny from 10.0.0.99'. The command works. Then you also run 'ufw reload' to apply the changes. Both commands succeed because you are root. After finishing, you type 'exit' and your prompt returns to 'alice@server:~$'.
Later, your manager asks you to also check a log file that is only readable by root. You use 'su -' this time. The dash makes the shell behave as if you logged in as root directly. You are now in root's home directory (/root), and your PATH includes /sbin and /usr/sbin. You check the log, then exit.
This scenario demonstrates the basic use of 'su' and 'su -' for daily administrative tasks. It also highlights a potential pitfall: when you used 'su' without the dash, you were still in Alice's home directory, which could be confusing if you expected to be in root's home. But for your task (running 'ufw'), it worked fine because 'ufw' is in a directory that was already in your PATH. For other commands, you might have needed the dash.
This exact situation is a classic exam scenario: a user needs to become root temporarily, and you must decide between 'su' and 'su -' based on the context.
Common Mistakes
Typing 'su' and then trying to run a command without first being in the root shell.
The 'su' command by itself opens a new shell. You cannot type 'su' followed by a command on the same line unless you use the -c option. For example, 'su ls' will try to switch to a user named 'ls' and will fail.
Use 'su -c "command"' to run a single command as root and return to your user. Example: su -c "systemctl restart networking"
Using 'su' without the dash (-) and then expecting the environment to be exactly like a root login.
Without the dash, 'su' does not reset the environment variables like HOME, PATH, and SHELL. You may end up with your normal user's PATH, missing system directories like /sbin. This can cause commands like 'shutdown' or 'ifconfig' to fail.
If you need the full root environment, always use 'su -' (with the dash) to simulate a login shell.
Assuming 'su' can be used without the target user's password when you are already root.
Actually, this is not a mistake-root can switch to any user without a password. But many beginners think 'su' always requires a password. The mistake is not knowing this nuance. In an exam, this could lead to selecting a wrong answer about authentication requirements.
Remember: root can use 'su username' to switch to any account without entering a password. Non-root users must provide the target user's password.
Confusing 'su' with 'sudo' and thinking both require the root password.
'sudo' requires the user's own password (or no password if configured), not the root password. 'su' requires the target user's password (typically root). Mixing these up can lead to authentication failures and wasted time.
When using su, you must know the password of the user you are switching to. When using sudo, you use your own password (or none, depending on configuration).
Using 'su' to switch to a user and staying in that shell for days, forgetting to 'exit'.
If you leave a root shell open on a shared computer, another person can walk up and execute commands as root. This is a security risk. Also, if you close the terminal without exiting, the child process may not terminate cleanly.
Always type 'exit' to return to your original user session as soon as you are done with root tasks. Use 'sudo' for single commands to minimize root shell exposure.
Exam Trap — Don't Get Fooled
{"trap":"You are asked: 'Which command allows user bob to become root and automatically change to the root home directory?' Many learners choose 'su root' thinking it does the job because they see 'root' in the command. However, 'su root' still does not give the login environment."
,"why_learners_choose_it":"Learners see 'root' in the command and assume it means 'switch to root'. They may not remember the importance of the dash. They might also think 'su root' is the same as 'su -' because both switch to root."
,"how_to_avoid_it":"Memorize that the dash is essential for a login shell. 'su -' (with the dash) is the only way to fully simulate a root login, changing the home directory to /root and setting all root environment variables. 'su' or 'su root' does not do this.
Practice by typing both commands and noticing the difference in your prompt and current directory."
Step-by-Step Breakdown
Check Your Current Identity
Before using 'su', it is wise to confirm which user you are currently logged in as. Use the 'whoami' command. This step helps you avoid accidentally using 'su' when you are already root, which would be redundant. It also reminds you of your starting point so you know when to return to this user.
Determine the Target User
Decide which user account you need to become. Most often this is 'root', but you can switch to any user account on the system, such as 'postgres' or 'apache'. For example, if you need to troubleshoot a database issue, you might switch to the 'postgres' user. If you need system-wide administrative access, switch to 'root'.
Execute the su Command
Type 'su' followed by the target username. If the target is root, you can type just 'su' (the default). Example: 'su postgres'. Consider using the dash for a login shell: 'su - postgres'. The system will prompt you for the target user's password. Type it correctly (note: no asterisks appear while typing). If authentication succeeds, you will enter a new shell with the target user's UID and GID.
Perform the Required Tasks
Now you are operating as the target user. Run the commands you need, such as editing configuration files, changing permissions, or managing services. Remember that you have all the privileges of that user, so be careful, especially if you are root. Avoid running unnecessary commands that could affect the system. Use the session only for its intended purpose.
Return to Your Original User
When you have finished your tasks, type 'exit' to leave the su shell. You will be returned to the original user's shell with the original environment. Verifying by running 'whoami' again is good practice. If you opened multiple 'su' sessions, you may need to type 'exit' multiple times to return all the way back.
Practical Mini-Lesson
The 'su' command is a staple of Linux system administration, but using it effectively requires understanding of its environment impact, security implications, and common pitfalls. Let's dive into a practical lesson.
First, always consider whether to use the dash. The difference between 'su' and 'su -' is not just cosmetic. When you run 'su' without a dash, your new shell retains many environment variables from your original user, including PATH, HOME, and USER. This can be dangerous. For example, if your PATH doesn't include /sbin, commands like 'fdisk' or 'ifconfig' will not be found. Worse, if your PATH includes the current directory (.), you might accidentally execute a malicious script from your home directory while thinking you are running a system command. Always use 'su -' unless you have a specific reason not to.
Second, understand the authentication mechanism. By default, 'su' uses PAM to verify the target user's password. The configuration file /etc/pam.d/su controls the rules. One common rule is the wheel group restriction. If the line 'auth required pam_wheel.so' is present, only users who are members of the 'wheel' group can use 'su' to become root. This is a security best practice to reduce the number of users who can gain root access. As a professional, you should be comfortable editing this file to enforce your organization's policy.
Third, use 'su -c' for single commands when you do not need an interactive shell. This minimizes the time you spend with root privileges, reducing the attack surface. Example: 'su -c "systemctl restart nginx"' runs only that command as root, then immediately returns. This is similar to 'sudo' but uses the root password instead of your own. In many organizations, 'sudo' is preferred because you can allow users to run only specific commands. However, in situations where 'sudo' is not set up or broken, 'su -c' is the fallback.
Fourth, be aware of the security risk of sharing root passwords. In teams with many administrators, sharing the root password means you lose accountability-if someone breaks something, you cannot tell who it was. The logs will show only that root performed the action, but not which individual used 'su'. This is why modern practice favors 'sudo' with logs showing the original username. If you must use 'su', consider using it with a wheel group and strong password policies.
Finally, practice recovering from a broken system. If you accidentally break the system so that you cannot log in as root via SSH, you might still be able to use single-user mode or a live CD. In such cases, knowing how to use 'su' from single-user mode (where no password is required) can help you fix the issue. But that is advanced-for certification purposes, focus on the standard usage and the difference between 'su' and 'su -'.
Memory Tip
Remember: 'su -' is 'switch user, login shell', the dash makes it a full login environment.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
XK0-006CompTIA Linux+ →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
XK0-005XK0-006(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Frequently Asked Questions
What does 'su' stand for?
Historically, 'su' stands for 'substitute user'. In common usage, it is also referred to as 'switch user' or 'superuser' when used without a username to become root.
Do I need the root password to use 'su' to become root?
Yes, unless you are already root. A non-root user must provide the root password when using 'su' to become root. Root can switch to any user without a password.
What is the difference between 'su' and 'su -'?
'su' without a dash preserves your current environment (PATH, HOME, etc.). 'su -' (with a dash) creates a login shell, resetting the environment to the target user's defaults and changing to their home directory. Always use 'su -' unless you need to preserve your original environment.
Can I run a command as root without opening an interactive shell?
Yes, use 'su -c "command"'. This runs the command as the target user (usually root) and then immediately exits, returning you to your original shell.
How do I prevent users from using 'su' to become root?
Edit the PAM configuration file /etc/pam.d/su and add or uncomment the line: 'auth required pam_wheel.so'. Then only users who are members of the 'wheel' group can use 'su' to become root.
Is 'su' the same as 'sudo'?
No. 'su' switches to another user entirely and requires that user's password. 'sudo' allows a user to run a specific command as another user (usually root) using their own password. 'sudo' is more flexible and secure for most use cases.
Summary
The 'su' command is a powerful tool for switching user identities on Linux and Unix systems. It is most commonly used to become the root user in order to perform administrative tasks like installing software, managing services, or editing system configuration files. However, with great power comes great responsibility. Understanding the difference between 'su' and 'su -' is critical, as the dash affects the environment and can cause commands to fail if omitted inappropriately.
In certification exams, 'su' appears frequently in scenarios where you need to temporarily escalate privileges. You should be comfortable with the syntax, the password requirements, and the role of PAM in controlling access. Also, know that 'su' is different from 'sudo', even though both provide privilege escalation. The confusion between these two is a common source of errors in both exams and real-world administration.
Ultimately, while 'sudo' has largely replaced 'su' in modern enterprise environments due to better auditing and granular control, 'su' remains a fundamental skill. It is especially important in situations where 'sudo' is not configured, or when you need to simulate a full login environment. Master 'su', and you will have a solid foundation in Linux user management and security. Use it wisely, and always exit the root shell when you are done.