# su — Switch User in a Running Session

> Practical guide to su: switch identity in a running shell, open a login shell with su -, run commands as another user, and how it differs from sudo.

Source: https://www.jpkc.com/db/en/cheatsheets/shell-system/su/

<!-- PROSE:intro -->
`su` (substitute user) switches your identity in a running session without logging out and back in. With no argument you become root; with `su - <user>` you drop into another account's full environment. Unlike `sudo`, `su` asks for the target user's password rather than your own. This guide covers the login shell, running single commands, and why `sudo` is usually the better, more auditable choice on modern systems.
<!-- PROSE:intro:end -->

## Basic Usage

`su` — Switch to root. Prompts for root's password. Does not change the working directory or environment.

```bash
su
```

`su -` — Switch to root with a full login shell. Loads root's environment (.profile, .bashrc). Recommended over plain 'su'.

```bash
su -
```

`su <user>` — Switch to a specific user. Prompts for that user's password.

```bash
su deploy
```

`su - <user>` — Switch to a specific user with a full login shell. Changes directory to that user's home and loads their environment.

```bash
su - www-data
```

`su -l <user>` — Same as 'su - <user>'. The -l flag requests a login shell.

```bash
su -l postgres
```

## Run Commands Without Switching Shell

`su -c '<command>' <user>` — Run a single command as another user without opening an interactive shell.

```bash
su -c 'whoami' deploy
```

`su - -c '<command>'` — Run a single command as root with a login environment.

```bash
su - -c 'systemctl restart nginx'
```

`su -s /bin/bash <user>` — Switch to a user using a specific shell, even if their login shell is different (e.g. /sbin/nologin).

```bash
su -s /bin/bash www-data
```

`su -s /bin/bash -c '<command>' <user>` — Run a command as a system user that has no interactive login shell.

```bash
su -s /bin/bash -c 'php artisan queue:work' www-data
```

## Environment Control

`su (without -)` — Keeps the current user's environment variables (PATH, HOME, etc.). Only the user identity changes.

```bash
su root
```

`su - (with -)` — Creates a fresh login environment for the target user. HOME, PATH, SHELL, and USER are all set to the target user's values.

```bash
su - root
```

`su -m <user>` — Same as -p. Preserve the current environment when switching user.

```bash
su -m deploy
```

`su -p <user>` — Preserve the current environment (PATH, HOME, etc.) when switching user.

```bash
su -p deploy
```

## su vs sudo

`su - root` — Requires root's password. Opens a full root login shell.

```bash
su - root
```

`sudo -i` — Requires the current user's password. Opens a full root login shell. Preferred on modern systems.

```bash
sudo -i
```

`sudo su -` — Use sudo to become root without knowing root's password. Common pattern when root login is disabled.

```bash
sudo su -
```

`sudo -u <user> -s` — Open a shell as another user using sudo (no need to know the target user's password).

```bash
sudo -u www-data -s
```

## Options & Flags

`su --help` — Show help and available options.

```bash
su --help
```

`su -w VAR <user>` — Whitelist specific environment variables to keep when switching user (util-linux su).

```bash
su -w TERM,COLORTERM deploy
```

`exit` — Exit the switched user session and return to the previous user.

```bash
exit
```

`Ctrl+D` — Send EOF to exit the switched user shell. Equivalent to 'exit'.

```bash
Ctrl+D
```

<!-- PROSE:outro -->
## Conclusion

The most important difference hides in a single dash: `su -` starts a real login shell and loads the target's full environment (HOME, PATH, SHELL), whereas `su <user>` only swaps the identity and keeps your current environment – which otherwise leads to surprising path and configuration issues. For one-off tasks `su -c '<cmd>'` is enough, and `su -s /bin/bash` lets you enter system accounts like `www-data` whose login shell is set to `/sbin/nologin`. The security distinction is key: `su` asks for the target user's password (root's password when switching to root), while `sudo` asks for your own. That is why `sudo` is usually the better choice on modern systems – authorizable per command, fully auditable, and the direct root login is commonly disabled with a locked password (`!`) in favour of `sudo`. Treat both with care: every switch is a privilege escalation.

## Further Reading

- [Wikipedia: su (Unix)](https://en.wikipedia.org/wiki/Su_(Unix)) – background on the command and its history
- [util-linux su manual](https://man7.org/linux/man-pages/man1/su.1.html) – the authoritative reference for su's options and behaviour
<!-- PROSE:outro:end -->

## Related Commands

- [sudo](https://www.jpkc.com/db/en/cheatsheets/shell-system/sudo/) – run individual commands with elevated privileges using your own password and an audit log
- [id](https://www.jpkc.com/db/en/cheatsheets/shell-system/id/) – show the current user and group IDs, handy to confirm a switch
- [useradd](https://www.jpkc.com/db/en/cheatsheets/shell-system/useradd/) – create the user accounts you then switch into