The main difference between the command line su username and su - username lies in the environment variables that are loaded when switching to the specified user.

  • su username: This command switches to the specified user account but keeps the current environment variables intact. It does not simulate a full login, so the new shell session inherits the environment of the original user.

  • su - username or su -l username: This command simulates a full login for the specified user. It resets the environment variables to those defined for the target user, including their home directory, PATH, and other settings specified in their login configuration files like .bash_profile or .bashrc. This is useful when we need to fully assume the identity of another user, including their environment settings.

➜  ~ whoami
currentuser
➜  ~ echo $ZSH
/Users/currentuser/.oh-my-zsh
➜  ~ echo $PATH
/Users/currentuser/.rbenv/shims

# change to "exampleuser" with "su username"
➜  ~ whoami
currentuser
➜  ~ su exampleuser
➜  ~ whoami
exampleuser
➜  ~ echo $ZSH
/Users/currentuser/.oh-my-zsh
➜  ~ echo $PATH
/Users/currentuser/.rbenv/shims
➜  ~ exit
➜  ~ whoami
currentuser

# change to "exampleuser" with "su - username"
➜  ~ whoami
currentuser
➜  ~ su - exampleuser
➜  ~ whoami
exampleuser
➜  ~ echo $ZSH
/Users/exampleuser/.oh-my-zsh
➜  ~ echo $PATH
/Users/exampleuser/.rbenv/shims
➜  ~ exit
➜  ~ whoami
currentuser

su - username provides a cleaner separation between the current user’s environment and the environment of the target user, while su username maintains the current environment.

Security

Using su - username is better from a security standpoint because it provides a more controlled and secure environment for the target user. Here’s why:

  1. Environment Isolation: su - username resets the environment variables to those defined for the target user. This ensures that only the environment variables specifically set for that user are loaded, reducing the risk of accidental execution of potentially harmful commands or scripts from the current user’s environment.

  2. Security Policies: The target user’s login configuration files, such as .bash_profile or .bashrc, can include security policies and settings specific to that user. By using su - username, we can ensure that these policies are applied, enhancing the security of the session.

  3. Path Safety: By loading the target user’s PATH variable, su - username ensures that only the executables accessible to that user are available. This reduces the risk of inadvertently executing a malicious program or script from an unexpected location.

  4. Home Directory Security: su - username changes the working directory to the home directory of the specified user, providing a secure context for file operations. This reduces the risk of accidentally modifying or accessing sensitive files from the current user’s directory.

  5. Logging and Auditing: Using su - username provides clearer audit trails. The system logs will clearly show when a user switches to another user with a full login, making it easier to trace actions back to the responsible user.

su - username ensures a more secure and controlled environment, reducing the risk of security vulnerabilities and accidental misuse of privileges.