Learn › Linux Foundations › User Switching
su - a hands-on Linux lab on a real virtual machine.
su makes you a different account on the same machine. Switch into another user with su - <name, learn what the dash changes, run one command as them with -c, reach root by leaving the name off, and see why su wants the target account password, all in the practice terminal.
Every command you have typed so far, you typed as student. That is who this machine believes you are: one account, one home directory, one set of permissions. But Linux machines are not one-person machines. They are built for many accounts living side by side, and sometimes the work in front of you belongs to a different one.
So here is the question this lesson answers: can you *become* another account without logging out? Not peek at its files, actually switch: run commands as that user, in their home, with their permissions. The command for that is su, short for switch user. It walks you into another account and leaves you there. (Linux has a second door into other identities, sudo, which borrows power for a single command instead of moving you. That one gets the next lesson.)
The black boxes in this lesson are a practice terminal: a safe sandbox that only checks the one command each step teaches, so you cannot break anything. Becoming another user for real opens a whole session the machine has to remember, and a sandbox cannot hold an open session like that. So here you prove each switch with a single command run *through* it, and you do the real, interactive switching on the machine at the end of the module.
This machine has a second ordinary account named agent, sitting right alongside your own student account, with its own home directory and its own files. Step into it. The cleanest form of the command is su - <name>, and to prove where you landed you run one command inside the switch with -c, which you will meet properly in a moment. The proof command is whoami, which you know from orientation: it prints the name of the account running it. Before you press Enter, decide: which name will come back, student or agent? Now type this exactly:
su - agent -c whoami
prompt: student@linuxcamp:~$ answer: su - agent -c whoami output: agent hint: Type su, space, dash, space, the name agent, then -c whoami: su - agent -c whoami
The machine answered agent, not student. For the length of that command you were a different person on the same box. That is the whole idea of su: it does not borrow a permission, it changes who you *are*. The next steps take that switch apart one piece at a time, starting with the dash you just used.
A name on its own is thin proof. Linux has a command called id that prints an account's full ID card: its numeric user id (short uid), its group, and every group it belongs to. You will get to know id properly in the next lesson; here you only need to read the first field. Run as yourself, id opens with uid=1001(student), your account's number. Before you run it *through* the switch, decide: will the uid still read 1001, or something else?
su - agent -c id
prompt: student@linuxcamp:~$ answer: su - agent -c id output: uid=1002(agent) gid=1002(agent) groups=1002(agent) hint: Same switch as before, but run id instead of whoami: su - agent -c id
uid=1002(agent), a different number from your own uid=1001(student). This is the real test of a switch: not the name alone, but the uid behind it. Under su the command genuinely ran as user 1002, agent, a separate account with its own number. You did not gain an extra permission on top of your own account. You became a different user, uid and all.
That dash in su - agent is not decoration, and it is the single most important thing to understand about su. There are two ways to switch, and the dash is the difference.
Plain su agent, no dash, changes who you are but leaves you standing exactly where you were: same directory, and most of your own settings carry over. You become agent, but in your surroundings.
su - agent, with the dash, does a full login switch: it starts a fresh session exactly as if agent had just logged in at the machine. It runs agent's own start-up settings and drops you into agent's own home directory, not wherever you happened to be. Remember pwd from orientation: it prints the directory you are standing in. Before you run it through the login switch, decide: what exact path will pwd print? Your own home is /home/student. Where would a fresh login as agent land?
su - agent -c pwd
prompt: student@linuxcamp:~$ answer: su - agent -c pwd output: /home/agent hint: Same login switch, run pwd this time: su - agent -c pwd
/home/agent. The dash walked you all the way into agent's home, exactly as a real login would. Plain su agent (no dash) would have left pwd reading /home/student, your own directory, because without the dash you keep your surroundings and only change identity. Reach for the dash form almost always: su - <name> gives you the target account cleanly and completely, with none of your own environment leaking in to confuse things.
You have already been using -c in every step, and now it earns its own beat. On its own, su - agent would open agent's shell and *keep* it: every command you type after that runs as agent until you type exit to come back. That is the interactive switch, and it is what you will do on the real machine.
The -c flag is the one-shot version. su - agent -c '<command>' opens agent's login shell, runs exactly that one command inside it, and hands you straight back to your own account. It is the difference between moving in and just stepping through to do one thing. It is also why every terminal here can grade a switch: -c makes it a single, finished command instead of an open session.
So far you have been reading -c's *output*. This time watch what happens after the output: the round trip back. Before you run this, decide: when the command finishes, whose prompt will you be sitting at, agent's or your own? Run the switch once more and read the line that follows the answer:
su - agent -c whoami
prompt: student@linuxcamp:~$ answer: su - agent -c whoami output: agent hint: The one-shot form again: su - agent -c whoami. This time read the prompt that comes back after the output.
The machine said agent, and the very next prompt reads student@linuxcamp:~$. You were agent for exactly one command, then -c handed you straight back. No exit to remember, no open session left behind. That is the shape you will use constantly: su - <name> -c <command> does one thing as another user and returns you to yourself.
su has one built-in shortcut worth knowing. If you give it no user name at all, it assumes you mean root, the administrator account. So su - on its own is a full login switch to root, and it drops you at a prompt ending in # instead of the usual $. That # is the classic Linux signal for "you are root now, be careful."
Prove that the target really is root by running one command through the switch. Before you run it, decide: what single word will come back?
su - root -c whoami
prompt: student@linuxcamp:~$ answer: su - root -c whoami|||su - -c whoami output: root hint: su - with root as the target (or no name at all), then -c whoami: su - root -c whoami
root. Naming root and leaving the name off entirely do the same thing, because root is su's default target. In a real terminal, plain su - would leave you sitting at a root@linuxcamp:~# prompt, running everything as root until you type exit. The next lesson adds a second road to a root shell; this one, su -, is yours already.
There is one thing the practice terminal cannot act out, and it is the thing most people get wrong about su. When you run su for real, it stops and asks for a password, like this:
Password:
Read carefully whose password that is. su asks for the target account's password: agent's password when you su - agent, root's password when you su -. That makes sense, because you are not borrowing a permission, you are logging in as that account, and to log in as agent you must know agent's password. As with any password prompt, nothing appears on screen while you type it. (Hold on to this rule: the next lesson's command, sudo, asks for the opposite password, your own.)
The practice terminals in this lesson never asked for a password because they are a replay sandbox: they check the command you type and show you the real machine's recorded answer, so there is no live account to log into. On the real mission machine at the end of this module, su - agent will stop and ask for agent's password, and the mission hands you that password when you need it. The rule to carry to every machine: **su wants the password of the account you are switching *to*, not your own.**
Scaffolding off. No commands are shown in this step. You have every form of su you need: read each goal, recall the shape, and type it yourself.
Challenge 1. Pull up agent's full ID card, uid and all, in one shot: a full login switch into agent that runs the ID-card command and comes straight back.
prompt: student@linuxcamp:~$ answer: su - agent -c id output: uid=1002(agent) gid=1002(agent) groups=1002(agent) hint: The pattern is su - <name> -c <command>. The ID-card command is id.
Challenge 2. Prove where a login switch lands. Through a full login switch to agent, run the command that prints the current directory, and make it answer with agent's home.
prompt: student@linuxcamp:~$ answer: su - agent -c pwd output: /home/agent hint: Same su - <name> -c <command> pattern. The current-directory command is pwd.
Challenge 3. Make root say its own name, without typing the word root anywhere in your command. One form of su from this lesson does exactly that.
prompt: student@linuxcamp:~$ answer: su - -c whoami output: root hint: Leave the user name off entirely, dash and all the rest in place. su falls back to its default target.
You earned this cheat sheet. Every row is a form of su you have already run:
The one idea under all of it: su does not hand you an extra permission, it makes you a different account. Reach for the dash form, su - <user>, almost always, so you get that account cleanly. Use -c when you only have one thing to do there, and remember the password it wants is the *target's*, not yours.
The moment you land in another account, make whoami your first move. switch then whoami is the habit that saves you from running a command as the wrong person, and from forgetting you are still someone else after a switch.
The practice terminal has shown you the shape of su. su - <name> becomes another account, the dash makes it a clean login switch, -c does one thing and comes back, and no name at all switches to root. Every switch you proved by running a command *through* it and reading the answer.
The User-Switching module ends with one real Linux machine, booted just for you on this same handoff filesystem, and that is where you switch accounts for real, interactively. There the agent account is waiting for you to su into it, land in agent's home, and sign your work in agent's name. Unlike here, the switch will open a live session: su - agent will stop and ask for agent's password (the mission gives it to you), then you are agent until you type exit to come back to student. The mission shows no commands. You read each objective, recall the switch, type it, then prove it with whoami or id, exactly the move you just practiced here.
Next comes sudo, the other door into another identity: borrowing root's power for one command without ever leaving yourself. Finish that lesson, then go become someone else for real.
Practice su: Become Another User in a real Linux terminal at The Linux Camp. Progress is verified automatically as you type commands on the machine.