su vs. sudo su - which to use?


We have a running debate in our office that i would like some clarity on. We configure our Linux servers with individual user names, but to run commands with root priveleges, people run su -. I have read in other places where sudo su - should be used with the root password disabled, but no clear reason as to why from a security standpoint.

I know one reason is because everyone would have to know the root password, but can someone please tell me why sudo su - should be used instead and the root password disabled? It would also be good to hear if either is OK, or if someone feels strongly about one vs. the other just to get a sense how others view this.

I also know that using sudo you can limit peoples use of root priveleges, so i just wanted to mention that so i could get other reasons why.

Thanks in advance!
Anony MousAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ok, the common setting are to not allow root login other than on the console.
Sudo should be used as this way each user can be granted some elevated rights without having others.
su - gets full elevated rights on a system.
sudo also maintains an audit record.
sudo su - is redundant.
sudo bash
su - username if you need to have the shell as username.
sudo su logs who did the su, and allows per user management of privileges, both of which can be useful from a security standpoint
It can be preferable to sudo the individual commands that need privileges instead of doing everything under a blanket sudo su, to avoid running commands under superuser unnecessarily or unintentionally.
sudo through the configuration is setup to log events (locally and if configured to a central syslog server.

I believe the only time one would need to run su where sudo is setup is if they need to run as another user of lower privileges i.e. troubleshooting an app that has issues, or dealing with a user who complains of issues.'
sudo su - is repeating the rights eleveation (sudo elevates righs to root, su - resets root with env variables.)

configuring /etc/sudoers  for users, groups to run bash or any shell to get a full elevated shell. A more granular restriction per group to run specific command (excluding editors since most editors have a way to initiate a shell which would give the individual root shell if not so allowed before)
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

not sudo su or sudo bash, you must use sudo -s
Anony MousAuthor Commented:
Doesnt switching to su - log all commands as well? For that matter does switching to sudo su - log commands typed by the user?
You need to use right tool for each job.
e.g su is very simple privilege escalation tool
sudo is much more sophisticated

For command logginf one uses tools like psacct or snoopy.
I was "schooled" recently that `sudo su - [username] {command}` is deprecated and `sudo [-u username] -i {command}` is the preferred usage. Personally, I don't see the difference.

Note that sudo logs the initial `su`, but not subsequent commands run in that shell; `su` will also be logged in the system logs, so there's no real difference there  from a security point of view.,

A practical reason to use sudo rather than have multiple people know the root password is that, if the server holds sensitive data, the root password should be changed regularly - so you have to communicate that password to multiple people, and chances are they'll write it down. And you don't know who knows the password until it gets logged that they've used it, which may be too late.

I'm on a campaign to remove ALL admin passwords (except for root*) from live servers; My goal is for Unix and App admins to log in to a hardened Jump-off server as themselves, then use passwordless ssh to connect to a target server (as themselves again, assuming they are allowed on the target server) and then use sudo (passwordless) to gain privileges. The advantage to the admin is they don't need to maintain passwords on multiple servers AND only need to type their personal password once - They could fire up multiple xterms on the Jump-off box once they've authenticated there (xterm -e "ssh $TARGETHOST -c 'sudo su -' ")

The advantage to InfoSec is that there's a single point, the Jump-off box, where they can audit usage, revoke access, maintain Trust relationships (and with some simple scripting, grant access to selected servers).

* The root passwords will be put in sealed envelopes, held by the Operators for emergencies only (e.g. server down/not available on the network), and will be changed once the emergency is over.
Oops - the ssh "-c" is incorrect, the command should be
xterm -e "ssh $TARGETHOST  'sudo su -' " &   # You can also set window name, size, scrollbars etc. here

My excuse is that I never type that command, it's in a scriptlet "xt" that I just call as `./xt targethost`

And regarding key-exchange - Other methods are available, such as Kerberos tokens
I have no clue where sudo su - originates...
after sudo  the "su -" is executed as root already and just sets environment and executes shell
Actually "sudo -Hs" does exactly same thing (you can add those parameters as default to visudo after reading manuals, and keep su - for that long term stored unbeatable password)
sudo su - is, and has been, entirely redundant.  It also means you haven't thoroughly read the sudo man page.  It's like cat textfile | less or cat textfile* |grep search_text instead of just less textfile or grep search_text textfile*.

sudo -i or sudo -s is the correct way to do it.

I only know of a friend, many years (at least 10) ago, telling people to use sudo su or sudo su - as a joke.  He frequently created stupid constructs and tricked people into using them.  I wonder if that's how it got started.  It's a good way to separate those that read man pages from those that never do.
I first read of "sudo su -" year ago or so in experts-exchange question...
I thought the question was
"su" vs. "sudo su" - which to use?
"su" vs. "sudo su -", which to use?
but "su -" or "su -l" differs from "su" in how the environment is set up
Whether the person used the - as a separator I do not believe is significant given the use of su requires root password knowledge while sudo provides granular control.
The end result of using su or sudo su deals with whether the user running either set of commands will end up with an elevated "shell"  which ozo cleared up that the env variables will have. Variation on the su vs su - side.  The sudo command will set the env variables prior to running su.

It might have been that older use of sudo only retained the user running sudo environment variables, and su - was needed to reinitialize an already elevated shell with root's profiles/environment variables.
It could also have been that aliases, etc. that were setup within the root account were unavailable when sudo run, an option is to use source .bashrc or . .profile etc to reload the settings, but some used su - ..........

To use doors/keys to illustrate the above.  One option is to give those who need access to the master key (su) the other option is to give each person a limited master key that opens certain doors but not all.
In the above context the person will use the limited master key to access the room where the master key is and will retrieve it....
Even sudo su is a retarded construct.

I don't really remember when old sudo was ever being that limited.  It's been such a long time that I've used sudo that I don't remember.  It definitely has had many more features for quite some time now, and you can control exactly which users you can connect to, which binaries you can run, and whether or not you need a password.

You either use sudo or you use su.  Calling su with sudo means you didn't read the man page.

sudo su is basically sudo -s
sudo su- is basically  sudo -i

sudo -i -u USER would be equivalent to su - USER

sudo su - USER or even sudo su - is entirely unnecessary and has been unnecessary for many years now.

This is one of those things that must have appeared in some forum long ago that people keep digging up.  I wish it would go away so that people could use sudo correctly.  That's also what I mean by people just posting blogs.  They post incorrect, incomplete information from some random guy on the internet because it's popular.  This is why google now wants to rank "factual" information.
Apologies to the question Asker for this off-topic discussion of the preferred syntax for sudo.

If we're being pedantic, the Unix/Linux command to switch user is "su"; sudo is an add-on wrapper to the core OS that provides an alternative authentication mechanism. So the fact the sudo provides a "shortcut" is irrelevant and I would recommend `sudo su -` as it's clear what it is doing and is guaranteed to be portable.

Incidentally, I've just checked on one of the AIX 6 systems at work (sudo 1.8.5-4) , and `sudo -i` doesn't work, it immediately exits back to the unprivileged id; `sudo -i ksh` doesn't set the environment properly, so `sudo su -` is necessary. HP-UX 11.31 and RHEL/SLES are fine.
Anony MousAuthor Commented:
All, thanks for the responses, i am reviewing everything everyone said.
Rich RumbleSecurity SamuraiCommented:
Your original question answers it best, using SU and no SUDO you need to know ROOT's  password. Using SUDO SU, you use your own password as long as *you* are in SUDOERS. The minus (su-) strips out your environment and creates a "cleaner" one. If you leave off the minus, your homedir is used for instance, but using the minus your homedir is not used. If you have SUDO, you have root, so disabling root is only effective security wise if you can't get into runlevel 3 I guess, but you'd have to re-enable root if you couldn't get to that runlevel anyway... Ubuntu I know won't let you use root if you leave it blank, but you can use SUDO, so root is disabled effectively if the password is blank. Funny enough, windows doesn't allow interactive login if the local administrator is password is blank, just a little tidbit.
Switch User do (sudo) vs Switch User (su). It really does come down to knowing root or using your own password. I think you answered your own question before you asked it :) You can in fact do many things to limit peoples "powers" in linux utilizing sudoers, we have a very strict environment and our sudoers (and file permissions) is an abomination to maintain, but I'll be damned if you could do anything we don't want you to even with "sudo" access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Anony MousAuthor Commented:
Thanks all for responding to this question, everything was posted was extremely helpful clarifying this question!
su - Means load the user's (root in this case) environment,  not strip out your environment.  It's the same as su -l

Is there a man page for sudo on AIX?  What version sudo is that? I guess they haven't updated in ages.  It must be at least 10 years old.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.