su

Switch to superuser (requires the root password)

Switch to a given user (requires the user's password)
Switch to a given user and simulate a full login shell
Execute a command as another user

su [options] [-] [user [argument...]]

Explanation:
[options]: Various flags to modify su's behavior.
[-]: A single dash instructs su to simulate a full login, including environment setup.
[user]: The username of the account to switch to. If omitted, defaults to root.
[argument...]: Arguments passed to the new shell if a command is not specified with -c.

-c, --command=COMMAND
    Executes a single COMMAND with the substituted user and group IDs, then exits.

-, -l, --login
    Simulates a full login session. This resets environment variables, changes to the target user's home directory, and starts their login shell.

-m, -p, --preserve-environment
    Preserves the current environment variables, except for $HOME, $SHELL, $USER, $LOGNAME, and $PATH, which are still changed to reflect the target user. This option is overridden by --login.

-s, --shell=SHELL
    Specifies the SHELL to use instead of the default shell of the target user.

-g, --group=GROUP
    Specifies the primary GROUP to use instead of the default primary group of the target user.

-G, --supp-group=GROUP
    Specifies supplementary GROUPs to add to the target user's group list. Multiple groups can be specified with a comma-separated list.

-h, --help
    Displays a help message and exits.

-v, --version
    Displays version information and exits.

The su (substitute user) command in Linux allows a user to run commands with the privileges of another user account. Most commonly, it is used to gain the privileges of the root user, the system administrator account, to perform privileged tasks. When invoked without a specific target user, su defaults to root. The command prompts for the password of the target user (not the current user's password) before granting access.

A key distinction in su usage is between su and su -. When used simply as su user, it changes the user ID but retains most of the current user's environment variables (like PATH). This can sometimes lead to issues if critical system binaries are not in the current user's PATH. In contrast, su - user (or su --login user) simulates a full login session for the target user. This means it sets a new environment, including a new PATH, HOME directory, and prompts for the target user's shell, making it safer for administrative tasks as it ensures the correct environment for the superuser.

• Security Risk: Granting root access via su requires sharing the root password. This is generally discouraged for multiple administrators as it makes auditing difficult. If the root password is compromised, the entire system is at risk.
• Environment Differences: Misunderstanding the difference between su and su - can lead to unexpected behavior or errors, especially when executing administrative scripts that rely on a specific environment.
• PAM Configuration: The behavior and authentication requirements of su are heavily influenced by the Pluggable Authentication Modules (PAM) configuration on the system, typically found in /etc/pam.d/su. This can include restrictions on which users are allowed to use su (e.g., via the wheel group).
• Prefer sudo: For most modern Linux distributions and multi-user environments, sudo is often preferred over su. sudo allows fine-grained control over which commands specific users can run as root (or another user) without knowing the target user's password, enhancing security and auditability.

su relies on the target user's password for authentication. On Linux systems, this process is handled by PAM (Pluggable Authentication Modules). The PAM configuration file for su (usually /etc/pam.d/su) dictates specific authentication methods, such as requiring users to be part of a particular group (e.g., wheel or sudo group on some systems) to use su for root access, or logging attempts.

Always prefer su - user (or su --login user) when switching to another user, especially root, for administrative tasks. The dash ensures a clean environment, resembling a fresh login, which is crucial for predictable script execution and avoiding conflicts with your original user's environment settings. Using su user without the dash can lead to issues if the current user's $PATH or other environment variables override or hide system binaries or libraries required by the target user.

The su command has been a fundamental part of Unix-like operating systems since their early days, providing a straightforward mechanism for privilege escalation. Its primary function was, and largely remains, to allow users to temporarily become the root user to perform system administration tasks. Before the widespread adoption of sudo, su was the standard tool for this purpose. Its simplicity in design - prompting for a password and then spawning a new shell or executing a command - has ensured its longevity. While sudo has gained popularity for its more granular control and better audit trails, su remains a crucial command, especially in single-user environments or when sudo is not configured or available. Modern implementations, like those from util-linux, have added more options for environment control and group management, but the core functionality has remained consistent over decades.

sudo(8), login(1), passwd(1), pam(8), whoami(1)