4

It seems as if there is no difference whatsoever. When the whoami or id commands are run, they all yield root credentials. Is this an illusion? If the root account is disabled by default in Ubuntu, and therefore su gives and authentication error, then why allow sudo -I

Edit: Excuse me, the ONLY difference I have learned of is that sudo -I asks for the password of the user who invoked the command, and su asks for root, or some other target user's password.

Is there any OTHER difference?

Braiam
  • 66,947
  • 30
  • 177
  • 264
user161589
  • 75
  • 3
  • 9
  • 1
    The account exists, have a look at `sudo grep root /etc/passwd`. What's disabled is _logging in_ as root. – terdon Mar 16 '14 at 02:44

2 Answers2

0

EDITED. Note: This answer has been heavily edited since its last iteration based on Eliah Kagan's comments.

sudo -i runs a login shell with root privileges, simulating an initial login with root, acting similar to su -. The primary difference between sudo -i and su - is that sudo -i can be executed using a sudoer's password, while su - must be executed with the root account's password. Hence, if you are on a default *buntu install, where root login is disabled, sudo -i can be used while su and its variants cannot.

If you run the following commands:

$ sudo -i
[sudo] password for <username>: <enter user's password>
# cd ~
# pwd

you will get the output:

/root

Hence, you can see that sudo -i simulates an initial root login, including changing the home folder ($HOME) to root's, rather than your own. This also means sudo -i reads login files like .profile.

Meanwhile, sudo -s starts a new shell but without simulating initial login - login files are not read and $HOME is still set to your user's home folder.

If you run the following commands:

$ sudo -s
[sudo] password for <username>: <enter user's password>
# cd ~
# pwd

you will get the output:

/home/<username>

From this, you can see that sudo -s does not simulate an initial login, and does not change $HOME.

Davidson Chua
  • 223
  • 1
  • 10
  • In other words, the change in the required password is really the only difference. Yet that seems like a flaw in Ubuntu systems, su is harder to use, because one, the root account needs to be enabled, and two, you need to know root's password, yet why would you go to all that trouble when you could just do sudo -i? What do you gain by doing su? – user161589 Mar 16 '14 at 17:05
  • @user161589 NO! The change in the user's password is ***not*** the only difference. See my answer below. – Seth Mar 16 '14 at 17:45
  • 1
    @Seth The difference in what password is used actually *is* the main important difference here, *except when running GUI apps*. Please see [my comment](http://askubuntu.com/questions/434817/what-is-the-difference-between-sudo-i-and-su#comment566289_434827) on your answer. **Davidson Chua**: `sudo -s` corresponds rougly to `su`, while `sudo -i` is like to `su -`. (In the same way, plain `sudo` corresponds to `su -c`.) If someone uses `sudo -i` to run a graphical app (to prevent root-owned config files in their home folder), the `su`-based way would be `su -` (for a shell) or `su - -c`. – Eliah Kagan Mar 16 '14 at 18:52
  • @EliahKagan If you run `sudo -s` and then `cd` and `pwd`, you will be in your (user) home folder. If you do the same with `sudo -i`, you will be in `/root`. This means that `sudo -s` starts a new shell with root privileges, while `sudo -i` starts a new initial login _as_ root. You can refer to Mike Scott's answer on the duplicate question. – Davidson Chua Mar 18 '14 at 14:11
  • @DavidsonChua What you've just commented seems consistent with what I've said. But it's actually not *quite* correct (nor is it quite what Mike Scott said). `sudo -i` doesn't *really* log in as root (or any user); instead, it *runs a login shell* with elevated privileges. That's why `-i` is called the ***simulate* initial login* option in the [`sudo` manpage](http://manpages.ubuntu.com/manpages/precise/en/man8/sudo.8.html). Note that essentially any shell can be started as a login shell (you can run `bash --login` for example); this doesn't mean it's being triggered by an actual login. – Eliah Kagan Mar 18 '14 at 19:57
  • @DavidsonChua ***(Edited.)*** On the other hand, I think my comparison of `su` to `sudo -s` (in [that comment](http://askubuntu.com/questions/434817/what-is-the-difference-between-sudo-i-and-su/434824?noredirect=1#comment566295_434824)) *is a bad one*, or at least misleading. I'm sorry about that. `sudo -i` *does* behave very similarly to `su -` (or `su - -c`), but `sudo -s` is not as close a match for `su` (or `su -c`) because while plain `su` does *not* invoke a login shell it *does* change more environment variables than plain `sudo` or `sudo -s` (in particular, plain `su` changes `$HOME`). – Eliah Kagan Mar 18 '14 at 20:01
  • Ah, my bad. I meant simulated initial login, not an actual login. Other than that, your comments seem correct, so I will update my answer accordingly. – Davidson Chua Mar 19 '14 at 02:17
  • After looking at the duplicate's solution again, another difference between `su` and `sudo -i` is that `su` gives you complete root priveleges, as if you were actually root. Whereas, `sudo -i` you can restrict which programs users in the sudoers file can run. Thus, the sudoers aren't really root. To edit `root's` priveleges and settings you would literally have to be logged in as `root`, and the changes would be reflected when you `su`. – user161589 Aug 09 '15 at 18:07
0

sudo -i tries to become the user whose password you use, it runs that user's login specific resources (.profile etc) and tries to run from the user's home directory.

su on the other hand logs you in as other users, in the other user's home directory. And that account's login specific resources will be run. By default su logs you in as root.

I recommend using sudo -i over su, unless you know what you're doing.

Seth
  • 57,282
  • 43
  • 144
  • 200
  • Files created from a `sudo -i` shell are owned by root too, same with regular `sudo`, `sudo -s`, `sudo -H`, `su -`, and others. You may be thinking of how files (particularly config files) *in the user's own home directory* may be created as root and prevent applications from working properly. This is specifically a problem with *graphical applications* (since they usually store user-specific configuration files). The reason `sudo -H` and `sudo -i` avoid this is they cause *root*'s home folder to be used instead. **`sudo -i` should *not* be used as a *general* alternative to regular `sudo`.** – Eliah Kagan Mar 16 '14 at 18:41
  • @EliahKagan You're right, I had misread some earlier posts, my bad. IMO most of my answer still stands however, there is more of a difference between `sudo -i` and `su` than just the password. – Seth Mar 16 '14 at 23:15