

Su VS sudo su VS sudo -u -i - johnkpaul
http://johnkpaul.tumblr.com/post/19841381351/su-vs-sudo-su-vs-sudo-u-i

======
ars
"With no extra arguments, as far as I can tell su <username> is exactly the
same as attempting to login remotely as that user,"

This is not correct. su does not change the ownership of the pts (tty), so for
example you can not run screen after doing that.

I actually have no idea how to change to a different user and also setup the
pts properly, so I've resorted to telneting to localhost when I need to do
that.

~~~
BCM43
I've changed the permissions of /dev/pts/X in the past to allow anybody to
access it. (e.g. sudo chmod o+rw /dev/pts3) This may open up the screen
session to others, I've not played around with it enough.

------
lubutu
su is unnecessary; _sudo -s_ is equivalent to _sudo su_ , but allows the admin
to restrict who may sudo to whom, for which programs, and so on.

~~~
guns
They are not equivalent. `sudo su` changes the values of USER, HOME, and SHELL
to that of the root user. `sudo -s` only changes USER (it seems), but HOME is
retained as the SUDO_USER's home directory.

Neither invocation changes the working directory, which is convenient.

~~~
lubutu
Whether sudo sets $HOME depends on your /etc/sudoers configuration.
Alternatively, _sudo -Hs_.

~~~
guns
Indeed. I didn't know about `sudo -H`, though, so thank you.

------
staunch
I always do

    
    
      $ sudo su -             # root
      $ sudo su - username    # user
    
    
      $ man su
           -, -l, --login
                  make the shell a login shell

------
stox
Completely missing the different aspects of logging each different invocation
may have.

------
zobzu
people still writing stuff and getting upvotes without bothering to RTFM to
the slightest.

man sudo

=> sudo -s

hard uh. always read the f. man damnit. you know, that's what RTFM means.

~~~
johnkpaul
AFAIK, sudo -s is only if you would like to open a shell as root, not when you
would like to open a shell as another user. The original point of the post was
about how to create a shell as another user, without needing any password.

Edit: just added the last phrase. "without needing a password".

~~~
lubutu
That's possible using _sudo -su user_ (which looks similar, but doesn't hand
over to su).

~~~
johnkpaul
Again, AFAIK, that doesn't respect the NOPASSWD option in /etc/sudoers. That
might just be the specific configuration I'm working with though.

~~~
lubutu
I've just done some testing, and my sudo (1.7.4p6) does honour NOPASSWD in
/etc/sudoers, when I _sudo -su_ to any user. Are you sure your configuration
is correct?

~~~
johnkpaul
No, I'm not sure. I'm using Sudo version 1.7.4p5. sudo su <user> does not
prompt for a password. sudo -su <user> and sudo -s -u <user> do prompt for a
password.

~~~
lobster_johnson
Works here. We use it extensively on our boxes to allow access to certain
initscripts, among other things.

------
padobson
I use _sudo su - <username>_ pretty regularly when I'm working on servers. I
have a dev box where I do initial deploys of all of my apps, and each app has
a different username with different configurations to run/debug the app.

 _sudo su - <username>_ takes me to the homefolder of the user and allows me
to switch without remembering the password for all of the different users. If
I need to do some system-level operation, I open a new tab and run the
superuser there.

~~~
tonfa
Isn't sudo -i username equivalent?

------
mappu
I'm not a sudoer on any box i administrate, and i've apt-get remove'd it from
my personal VPSes. It's a little worrying, occasionally you'll run across a
shell script that runs sudo for half it's lines and you're not entirely sure
why.

Using plain su instead of sudo <command> forces me to enter my password,
thereby encouraging a concious decision about whether a command needs to be
run as root, and the change in prompt is another reminder to be careful.

~~~
guns
The sudo timeout convenience feature is worrisome, but there's no need to
remove it entirely from the system [1]. You can set

    
    
         Defaults timestamp_timeout = 0
    

in your sudoers file to make sure sudo always prompts for a password. I think
this should be default, since the current default of 5 minutes is an easy
privilege escalation vector [2].

Also, if you like entering root's password instead of your own, you can set
the `runaspw` option.

[1]: Unless you'd like to remove one more possible SUID vulnerability.

[2]: It's far from the only way for a local process to escalate privileges, so
I understand it's nothing worth yelling about.

------
mikegirouard
> The only use that I can see for this is, as a system administrator,
> debugging issues that are user specific. So far, I have not needed it.

I use `sudo -i` daily, but when doing things that would require things to be
in root's path (eg `service` on RHEL envs).

------
moe
Real men _su -_ and that's it.

------
squadron
Forgot vs root.

