su — Switch User in a Running Session

su (substitute user) switches your identity in a running session without logging out and back in. With no argument you become root; with su - <user> you drop into another account's full environment. Unlike sudo, su asks for the target user's password rather than your own. This guide covers the login shell, running single commands, and why sudo is usually the better, more auditable choice on modern systems.

Basic Usage

su — Switch to root. Prompts for root's password. Does not change the working directory or environment.

su

su - — Switch to root with a full login shell. Loads root's environment (.profile, .bashrc). Recommended over plain 'su'.

su -

su <user> — Switch to a specific user. Prompts for that user's password.

su deploy

su - <user> — Switch to a specific user with a full login shell. Changes directory to that user's home and loads their environment.

su - www-data

su -l <user> — Same as 'su - '. The -l flag requests a login shell.

su -l postgres

Run Commands Without Switching Shell

su -c '<command>' <user> — Run a single command as another user without opening an interactive shell.

su -c 'whoami' deploy

su - -c '<command>' — Run a single command as root with a login environment.

su - -c 'systemctl restart nginx'

su -s /bin/bash <user> — Switch to a user using a specific shell, even if their login shell is different (e.g. /sbin/nologin).

su -s /bin/bash www-data

su -s /bin/bash -c '<command>' <user> — Run a command as a system user that has no interactive login shell.

su -s /bin/bash -c 'php artisan queue:work' www-data

Environment Control

su (without -) — Keeps the current user's environment variables (PATH, HOME, etc.). Only the user identity changes.

su root

su - (with -) — Creates a fresh login environment for the target user. HOME, PATH, SHELL, and USER are all set to the target user's values.

su - root

su -m <user> — Same as -p. Preserve the current environment when switching user.

su -m deploy

su -p <user> — Preserve the current environment (PATH, HOME, etc.) when switching user.

su -p deploy

su vs sudo

su - root — Requires root's password. Opens a full root login shell.

su - root

sudo -i — Requires the current user's password. Opens a full root login shell. Preferred on modern systems.

sudo -i

sudo su - — Use sudo to become root without knowing root's password. Common pattern when root login is disabled.

sudo su -

sudo -u <user> -s — Open a shell as another user using sudo (no need to know the target user's password).

sudo -u www-data -s

Options & Flags

su --help — Show help and available options.

su --help

su -w VAR <user> — Whitelist specific environment variables to keep when switching user (util-linux su).

su -w TERM,COLORTERM deploy

exit — Exit the switched user session and return to the previous user.

exit

Ctrl+D — Send EOF to exit the switched user shell. Equivalent to 'exit'.

Ctrl+D

Conclusion

The most important difference hides in a single dash: su - starts a real login shell and loads the target's full environment (HOME, PATH, SHELL), whereas su <user> only swaps the identity and keeps your current environment – which otherwise leads to surprising path and configuration issues. For one-off tasks su -c '<cmd>' is enough, and su -s /bin/bash lets you enter system accounts like www-data whose login shell is set to /sbin/nologin. The security distinction is key: su asks for the target user's password (root's password when switching to root), while sudo asks for your own. That is why sudo is usually the better choice on modern systems – authorizable per command, fully auditable, and the direct root login is commonly disabled with a locked password (!) in favour of sudo. Treat both with care: every switch is a privilege escalation.