su and sudo allow to execute commands or shell with a different user. Depending on how they are invoked the environment variables can change, causing different command results.
Both “su” and “sudo” allow to execute commands on behalf of other user. The usage of su implies the knowledge of the “other” user password except if invoked by root. There is not much control on what the user can do, if the access is granted there is no restriction.
In sudo there is a fine control on what the user can do, what commands can be run. There is no need to know the password of the “other” user. The permissions are set in a configuration file.
su – run a command with substitute user and group ID
From the man page:
su allows to run commands with substitute user and group ID. When called without arguments su defaults to running an interactive shell as root. For backward compatibility su defaults to not change the current direc‐ tory and to only set the environment variables HOME and SHELL (plus USER and LOGNAME if the target user is not root). It is recommended to always use the --login option (instead it's shortcut -) to avoid side effects caused by mixing environments.
Example:
# su opc -c 'echo $PATH' /usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
# su - opc -c 'echo $PATH' /usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/opc/.local/bin:/home/opc/bin
In “su opc” the enviroment variables used to run the command is the original one, in this case the user root environment. If the command is invoked with “–” or “–login” the environment is the “opc” user, except for “TERM”.
As explained by the manual page:
-, -l, --login Starts the shell as login shell with an environment similar to a real login: o clears all environment variables except for TERM o initializes the environment variables HOME, SHELL, USER, LOGNAME, PATH o changes to the target user's home directory o sets argv[0] of the shell to '-' in order to make the shell a login shell
sudo – execute a command as another user
From the man page:
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy.
Example:
# sudo -u opc bash -c 'echo $PATH' /sbin:/bin:/usr/sbin:/usr/bin
# sudo -i -u opc bash -c 'echo $PATH' /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/home/opc/.local/bin:/home/opc/bin
In “sudo” the environment variable are passed from original session to the “sudo” session as defined in /etc/sudoers:
Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
The defined variables are preserved.
Using “sudo -i” can cause some variables to be reset:
-i, --login
Run the shell specified by the target user's password data‐
base entry as a login shell. This means that login-specific
resource files such as .profile, .bash_profile or .login will
be read by the shell. If a command is specified, it is
passed to the shell for execution via the shell's -c option.
If no command is specified, an interactive shell is executed.
sudo attempts to change to that user's home directory before
running the shell. The command is run with an environment
similar to the one a user would receive at log in. Note that
most shells behave differently when a command is specified as
compared to an interactive session; consult the shell's man‐
ual for details. The Command environment section in the
sudoers(5) manual documents how the -i option affects the
environment in which a command is run when the sudoers policy
is in use. Example, from default /etc/sudoers, the PS1 variable will be preserved:
# PS1="%: " sudo -u opc bash %:
# PS1="%: " sudo -i -u opc bash [opc@[HOSTNAME] ~]$
If “-i” is used, it will cause login resource files to be run, the PS1 variable was reset as set in /etc/bashrc.