User Environment Variables With “su” and “sudo” in Linux

su and sudo allow to execute commands or shell with a different user. Depending on how they are invoked the environment variables can change, causing different command results.

Both “su” and “sudo” allow to execute commands on behalf of other user. The usage of su implies the knowledge of the “other” user password except if invoked by root. There is not much control on what the user can do, if the access is granted there is no restriction.

In sudo there is a fine control on what the user can do, what commands can be run. There is no need to know the password of the “other” user. The permissions are set in a configuration file.

Note: The use of sudo su [USER] should be avoid, because it uses two security context changes. It’s recommended to use sudo -u [USER].

su – run a command with substitute user and group ID

From the man page:

su allows to run commands with substitute user and group ID.

When called without arguments su defaults to running an interactive
shell as root.

For backward compatibility su defaults to not change the current direc‐
tory and to only set the environment variables HOME and SHELL (plus
USER and LOGNAME if the target user is not root). It is recommended to
always use the --login option (instead it's shortcut -) to avoid side
effects caused by mixing environments.

Example:

# su opc -c 'echo $PATH'
/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
# su - opc -c 'echo $PATH'
/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/opc/.local/bin:/home/opc/bin

In “su opc” the enviroment variables used to run the command is the original one, in this case the user root environment. If the command is invoked with “” or “–login” the environment is the “opc” user, except for “TERM”.

As explained by the manual page:

-, -l, --login
  Starts the shell as login shell with an environment similar to a
  real login:

  o clears all environment variables except for TERM

  o initializes the environment variables HOME, SHELL,
  USER, LOGNAME, PATH

  o changes to the target user's home directory

  o sets argv[0] of the shell to '-' in order to make the
  shell a login shell

sudo – execute a command as another user

From the man page:

sudo allows a permitted user to execute a command as the superuser or
another user, as specified by the security policy. The invoking user's
real (not effective) user ID is used to determine the user name with
which to query the security policy.

Example:

# sudo -u opc bash -c 'echo $PATH'
/sbin:/bin:/usr/sbin:/usr/bin
# sudo -i -u opc bash -c 'echo $PATH'
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/home/opc/.local/bin:/home/opc/bin

In “sudo” the environment variable are passed from original session to the “sudo” session as defined in /etc/sudoers:

Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

The defined variables are preserved.

Using “sudo -i” can cause some variables to be reset:

-i, --login
    Run the shell specified by the target user's password data‐
    base entry as a login shell. This means that login-specific
    resource files such as .profile, .bash_profile or .login will
    be read by the shell. If a command is specified, it is
    passed to the shell for execution via the shell's -c option.
    If no command is specified, an interactive shell is executed.
    sudo attempts to change to that user's home directory before
    running the shell. The command is run with an environment
    similar to the one a user would receive at log in. Note that
    most shells behave differently when a command is specified as
    compared to an interactive session; consult the shell's man‐
    ual for details. The Command environment section in the
    sudoers(5) manual documents how the -i option affects the
    environment in which a command is run when the sudoers policy
    is in use.

Example, from default /etc/sudoers, the PS1 variable will be preserved:

# PS1="%: " sudo -u opc bash
%:
# PS1="%: " sudo -i -u opc bash
[opc@[HOSTNAME] ~]$

If “-i” is used, it will cause login resource files to be run, the PS1 variable was reset as set in /etc/bashrc.

Related Post