Tutorial - "su username vs su - username" - A Security Perspective
- Categories:
- tutorial
The main difference between the command line su username and su - username lies in the environment variables that are loaded when switching to the specified user.
su username: This command switches to the specified user account but keeps the current environment variables intact. It does not simulate a full login, so the new shell session inherits the environment of the original user.su - usernameorsu -l username: This command simulates a full login for the specified user. It resets the environment variables to those defined for the target user, including their home directory,PATH, and other settings specified in their login configuration files like.bash_profileor.bashrc. This is useful when we need to fully assume the identity of another user, including their environment settings.
➜ ~ whoami
currentuser
➜ ~ echo $ZSH
/Users/currentuser/.oh-my-zsh
➜ ~ echo $PATH
/Users/currentuser/.rbenv/shims
# change to "exampleuser" with "su username"
➜ ~ whoami
currentuser
➜ ~ su exampleuser
➜ ~ whoami
exampleuser
➜ ~ echo $ZSH
/Users/currentuser/.oh-my-zsh
➜ ~ echo $PATH
/Users/currentuser/.rbenv/shims
➜ ~ exit
➜ ~ whoami
currentuser
# change to "exampleuser" with "su - username"
➜ ~ whoami
currentuser
➜ ~ su - exampleuser
➜ ~ whoami
exampleuser
➜ ~ echo $ZSH
/Users/exampleuser/.oh-my-zsh
➜ ~ echo $PATH
/Users/exampleuser/.rbenv/shims
➜ ~ exit
➜ ~ whoami
currentusersu - username provides a cleaner separation between the current user’s environment and the environment of the target user, while su username maintains the current environment.
Security
Using su - username is better from a security standpoint because it provides a more controlled and secure environment for the target user. Here’s why:
Environment Isolation:
su - usernameresets the environment variables to those defined for the target user. This ensures that only the environment variables specifically set for that user are loaded, reducing the risk of accidental execution of potentially harmful commands or scripts from the current user’s environment.Security Policies: The target user’s login configuration files, such as
.bash_profileor.bashrc, can include security policies and settings specific to that user. By usingsu - username, we can ensure that these policies are applied, enhancing the security of the session.Path Safety: By loading the target user’s
PATHvariable,su - usernameensures that only the executables accessible to that user are available. This reduces the risk of inadvertently executing a malicious program or script from an unexpected location.Home Directory Security:
su - usernamechanges the working directory to the home directory of the specified user, providing a secure context for file operations. This reduces the risk of accidentally modifying or accessing sensitive files from the current user’s directory.Logging and Auditing: Using
su - usernameprovides clearer audit trails. The system logs will clearly show when a user switches to another user with a full login, making it easier to trace actions back to the responsible user.
su - username ensures a more secure and controlled environment, reducing the risk of security vulnerabilities and accidental misuse of privileges.
Recent Posts
How to Defend Against Brute-Force and DoS Attacks with Fail2ban, Nginx limit_req, and iptables
In this tutorial, I’ll explain how to protect your public-facing Linux server and Nginx web server from common threats, including brute-force and DoS attacks.
Is Getting AWS Solutions Architect Associate Certification Worth It?
If you are a full-time Software Engineer, there's no strong need to pursue this certification.
DevSecOps
My Notes about DevSecOps
AWS Secrets Manager
Explanation about AWS Secrets Manager with example code.
Envelope Encryption
Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.