Usage of sudo vs su

For some reason I have had a strange idea/doubt for a long time, and wondering if you could help me…

Did usage of “sudo” over “su -” use to be discouraged on openSUSE in general in the past? Or is it just idea of mine?

If not, when do you normally use one or the other?


I for one discourage it’s use… :wink: If you want to use sudo, then it’s better to configure the sudoers file since it’s not really configured…

So it wasn’t just idea of mine…

Why is sudo discouraged in openSUSE and not in other distros? What’s different here?

It isn’t discouraged in openSUSE IMHO. It is just one of the ways to get a root owned process.

Personally I never use it, but I use

su -

That - is crucial!

The implementation in KDE of the menu item “System” > “Terminal - Super User Mode” does do an su -. Thus that is the way I normally do it. It has also the avantage that I can give that terminal a different background colour as an alert.

AFAIK the default sudo configuration as installed with openSUSE results in the same allowances as su -. But in that case, I do not see any advantage in using the fat sudo over the tiny su - (and no surprises in case the sudo configuration is a bit different from what you assumed it is).

But I may be biased by the fact that su existed looooong before sudo.

I don’t think openSUSE is actively discouraging “sudo”. I think SuSE existed before “sudo” existed.

My view from early on is:

System administrators us “su” to get permission for their administrative tasks.
Other people use “sudo” to handle more limited responsibilities. For example, you could setup “sudo” so that some operational staff could use it to take backups but could not do other administrative tasks.

And then Ubuntu happened, and they adopted the policy that “sudo” was the way to administer the system. That’s one of the things that I dislike about Ubuntu.

I am fully with @nrickert. It seems that other distros (I am not that fluent in all of them, but I accept that it starts with Ubuntu) misuse sudo with the effect that the Linux world is full of advice to precede almost every command with sudo :(.

But the way sudo is configured on those systems differ from what openSUSE does by default. In short, you need the root password “to get Superuser status” and not the user password. And that is as it should be.

But I differ about the age of sudo. See
I can add that it isn’t in the man pages of HP-UX 10.0 (1995, which I still have in print here), but it certainly was available then from other sources (univerity?) then or short after. We (my IT department) rejected it, because it was not from the provider Hewlett Packard and not opensource and thus we would have nobody to go to when there was a security hole).

If I try out a buntu based distro (currently kde-neon) I always set up sudoers like opensuse and create a root password.

I think Debian has both sudo and su, like openSUSE, but IIRC from somewhere in their forums, they think “sudo is the way to go because it’s safer than su: with sudo the root session ends as soon as command ends; with su you run the risk of the root shell remaining open”. Or so I understood…

Why do you discourage sudo?

Yes, that is one criticism of the root terminal approach. Of course similar to sudo (non-persistent approach), there is also the possibility to do

su -c <command>

On a single user system, little point, sure for managed systems to control user access and specific applications (I use it for osc and building packages with /usr/bin/build configured with visudo).

Switch to root user with su - (and not su) perform the required task(s) and exit… one task per sudo command, seems pointless?

I like a separate user password and root password, on other distributions that I have played with I always sudo -i and set a root password :wink:

sudo impersonates.
su (and su -) is the real root account.

There’s a big difference between the two, for systems like openSUSE which supports “su” each will grant you different access although for many things there isn’t a difference. An example is if you’re administrating a relational database, it’s unlikely that sudo will work.

Many other distros have a philosophy that true root access (su) is too dangerous to allow User access under any circumstances so forces Users to use the slightly less privileged sudo.

As long as I’ve used openSUSE (since 10.7), it’s always supported Users invoking “su” – It’s not new and has not changed since “forever.”
As such, you can choose to use “sudo” all you want but to my knowledge no one has ever compromised openSUSE because “su” was permitted. Maybe someone has even compromised openSUSE but never publicized that happening… but the two most likely means I can think of can be addressed simply… By not leaving an elevated console running unattended and making your root password different than your default User (which is not default installation). It would be very, very difficult to somehow access and use elevated permissions normally.

That’s why I say that it’s a waste of effort to type “sudo” for every one of 100 commands instead of executing those commands in an elevated “su” console.


I always run ‘su -’. On systems insisting on “sudo …” I run “sudo passwd” exactly once. Then I can use ‘su -’.

The reason is embedded in the comments of the default “/etc/sudoers” file:

## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults targetpw   # ask for the password of the target user i.e. root
ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

****** In other words, on a freshly installed system, always “visudo” to disable the default (easy) behaviour and achieve this behaviour:

 > LANG=C sudo something
[sudo] password for «*The user calling “sudo”*»: 
«*The user calling “sudo”*» is not in the sudoers file.  This incident will be reported.

And, in the systemd Journal:

Okt 01 13:27:35 xxx sudo[21600]: pam_kwallet5(sudo:auth): (null): pam_sm_authenticate
Okt 01 13:27:35 xxx sudo[21600]: pam_kwallet5(sudo:auth): pam_kwallet5: Couldn't get password (it is empty)
Okt 01 13:27:46 xxx sudo[21600]:      ?? : user NOT in sudoers ; TTY=pts/3 ; PWD=/home/?? ; USER=root ; COMMAND=something
Okt 01 13:27:46 xxx postfix/pickup[21286]: D913340347: uid=0 from=<root>
Okt 01 13:27:46 xxx postfix/cleanup[21610]: D913340347: message-id=<20201001112746.D913340347@xxx.*Domain*>
Okt 01 13:27:46 xxx postfix/qmgr[2514]: D913340347: from=<root@xxx.*Domain*>, size=477, nrcpt=1 (queue active)
Okt 01 13:27:46 xxx postfix/local[21612]: D913340347: to=<root@xxx.*Domain*>, orig_to=<root>, relay=local, delay=0.12, delay>
Okt 01 13:27:46 xxx postfix/qmgr[2514]: D913340347: removed

And, the mail sent to the user “root” is:

>N  1 ??@xxx.*Domain* Thu Oct  1 13:27   16/613   *** SECURITY information for xxx ***

with content:

xxx : Oct  1 13:27:46 : ?? : user NOT in sudoers ; TTY=pts/3 ; PWD=/home/?? ; USER=root ; COMMAND=something

IMHO, this is reasonable system security …

Great topic with great insights.

I couldn’t see how the distro would favor one over another, since openSUSE packages both. Except on a minimal install su is available while sudo is not. That said I prefer sudo, since most of my tasks require a single command as root, and I have a few selected commands that won’t require the root password when called with sudo (systemctl, zypper, rpmconf, btrfs). For a single-user system this is convenient. For multi-user, multi-admin, sudo is even more convenient. Besides, with su I’d have a different set of dotfiles, which would be inconvenient for me.

Relevant xkcd:

This thread reminds me of discussions whether vi or emacs is better :slight_smile:

So in the end it depends of the administrative needs…

By the way, there’s a multiboot USB tool that I use for installations of which I once talked about; the script that sets up the entire USB drive uses sudo and then gets back the username of original user in order to change ownership of the files copied to the USB.

Do you think this could be a reasonable use of sudo?

What minimal install are you describing?
I haven’t yet run into any openSUSE install where sudo wasn’t installed.


Why not just su to whatever User you want to be logged in as and then perform whatever operations as that User?


sudo is not a required package of anything I have installed. So deselecting “Recommended packages” in the installer is one way. Probably the literal “Minimal install” as well.

OK, if that is how you’re doing it,
Plenty of packages can be not installed by choice.

Was thinking along lines of default installs of JeOS, server(text only) installs.