A question about su -

9nine9 · 11-29-2007, 07:30 AM

Has the [ su - ] command been around as long as [ su ] and what's the difference between the two?

I can see they don't act exactly the same when switching back to user, and the two prompts aren't the same but I can't tell what's going on under the surface.

Switching back to user, [ su - user ] asks for user's password whereas [ su user ] does not.

pixellany · 11-29-2007, 07:41 AM

It's all su...... "-" is simply an option.

"su" means "take on root's powers, but keep user's environment"

"su -" means "become root, including environment" e.g.: you'll note that "su -" puts you in the /root directory. On some systems it also gives you a different PATH

tronayne · 11-29-2007, 08:02 AM

The su utility has been around since... well, at least 25 years that I know of; I first remember it in Unix System V R3, and certainly in Unix System V R4. It's purpose is to let you "become another user" without having to log out and log back in as that user (it predates sudo by decades).

Without the dash you retain your environment, with the dash you get the environment of the user you're becoming (the shell executes the environment settings for that user; /etc/profile, .profile, .exrc, etc.). So, if you execute su - you become user root with root's environment set as if you logged in as root. If you su - user the same thing happens; i.e., you log in as that user.

If you're logged in as root (or su -) you will not be prompted for a password to su - user; if you're not logged in as root and execute su - user, you will have to respond with password for that user (root doesn't have to provide passwords to do anything).

There has been a change recently in this default behavior with the use of /etc/login.defs where su - does not set the environment to that of the su'd user at least in Slackware 12.0:

Quote:

#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su". If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
#SU_NAME su

This changes the long, long time behavior of the su utility unless you change the setting in /etc/login.defs.

Hope this helps some.

9nine9 · 11-29-2007, 08:36 AM

I still don't quite understand the advantage or disadvantage of running su with or without the "-" option.

I'm on a single user system, by the way. I am the only user.

tronayne · 11-29-2007, 08:49 AM

The advantage of the dash is to get root's profile (the PATH environment, is one) -- the /sbin directory, for example, is not usually on an ordinary user's PATH. You're executing su - to do something that can (or should) only be done by root and having root's environment settings (with the dash) makes life simpler. That's it, nothing complicated, just easier.

2damncommon · 11-29-2007, 08:23 PM

"su -" means you are completely root, "su" means you are mostly root.
Many commands will execute just fine with only "su". If you want to see the difference use only "su" and remember to try "su -" if you have troubles (could not open, could not find,etc.)

tronayne · 11-30-2007, 08:34 AM

Maybe this will help (maybe not, but what the heck).

When you log in your environment gets set, initially by entries in /etc/profile and then by entries in files in your home directory (.profile, .bashrc and others). You can view what got set with the env command. When you use su without the dash, you don't get the environment of the user you're becoming, you retain your own environment but your effective user and group identification become those of the user you're becoming; if you just execute su (without the dash), that's what happens -- you can do things as if you're root (like change file ownership and the like), but you're not really "running as root."

If, on the other hand, you use su -, then it is as if you logged on; /etc/profile is executed, all the "dot" files in root's home directory are executed, and you're in full-blown root environment. Similarly, if you sh - mysql, you become the mysql user with all the environment settings needed to act as that user.

This is part of the manual page for su for Solaris (which is Sun's version of Unix System V R4; Linux is similar in many ways to Solaris) which may (I hope) make this a little clearer.

Code:

NAME
     su - become super user or another user

SYNOPSIS
     su [ - ]  [  username   [  arg ...  ]  ]

DESCRIPTION
     The su command allows one to  become  another  user  without
     logging  off  or  to assume a role. The default user name is
     root (super user).

     To use su, the appropriate password must be supplied (unless
     the invoker is already root). If the password is correct, su
     creates a new shell process that has the real and  effective
     user  ID,  group  IDs,  and  supplementary group list set to
     those of the specified username. The new shell will  be  the
     shell  specified  in  the shell field of username's password
     file entry (see  passwd(4)).   If  no  shell  is  specified,
     /usr/bin/sh is used (see sh(1)). To return to normal user ID
     privileges, type an EOF character (<CTRL-D>) to exit the new
     shell.

     Any additional arguments  given  on  the  command  line  are
     passed  to the new shell. When using programs such as sh, an
     arg of the form -c string executes string  using  the  shell
     and an arg of -r gives the user a restricted shell.

     The following statements are true  if  the  login  shell  is
     /usr/bin/sh   or   an   empty   string  (which  defaults  to
     /usr/bin/sh) in the specific user's password file entry.  If
     the first argument to su is a dash (-), the environment will
     be changed to what would be expected if  the  user  actually
     logged  in as the specified user. Otherwise, the environment
     is passed along, with the exception of $PATH,      which  is
     controlled  by PATH and SUPATH in /etc/default/su. Addition-
     ally, the user's project ID is set if the dash  argument  is
     present.