Learn › RHCSA (EX200) › Exam Orientation + Essential Tools
su - a hands-on Linux lab on a real virtual machine.
Read your identity with whoami and id, find the wheel group that grants sudo, and become root two ways: su - for a full login shell with the root password, and sudo -i for the same clean root shell using only your own. RHEL 10, EX200 user-switching objective.
It is the first hour of the exam. You have just booted into rescue mode, reset the root password, and rebooted. The login prompt appears. You log in as student, the ordinary account, because that is the account you were given. Every task on the sheet after this one needs root: install a package, edit a file under /etc, start a service. None of that works as student.
So the very first move on a live RHEL system is almost never the task itself. It is answering one question: who am I right now, and how do I become the user who can do the work? Two commands answer the first half, whoami and id. Two more do the switching, su and sudo. This lesson is those four, in the order you actually reach for them. It serves the EX200 objective "log in and switch users in multiuser targets."
The black boxes below are a practice terminal: a safe sandbox that checks only the one command each step teaches. You cannot break anything and you never type a real password here. On the live machine at the end of the module, you run these same commands against a real RHEL 10 system and switch users for real.
Before you switch to anyone, know who you are. Linux is a multiuser system: every process runs as some user, and that user's identity decides what the process is allowed to touch. Two commands report that identity.
whoami is the blunt one. It prints one thing, the name of the user you are running as, and nothing else. When you have switched users twice and lost track, whoami is the fastest way to get your bearings. Run it:
whoami
prompt: student@servera:~$ answer: whoami output: student hint: One word, no flags. It is literally the question spelled as a command: who am i.
One line, your username. That is the whole job of whoami. It answers exactly one question, and it never lies: whatever name prints is the user every command you run right now will run as. After a su or a sudo -i, this is the command that tells you the switch actually took.
whoami gives you the name. id gives you the whole identity in one line: your numeric user id, your primary group, every group you belong to, and on RHEL your SELinux security context. This is the command that tells you whether you can become root at all, and you are about to see why.
Run it and read every field:
id
prompt: student@servera:~$ answer: id output: uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 hint: Two letters: i, d. No flags needed for the full line.
That exact line is from the capture machine. Your uid and gid numbers, and especially the context= string at the end (the SELinux category range like s0-s0:c0.c1023), will read differently on your machine. What matters is not the numbers, it is the SHAPE: uid, gid, groups, and the one group name you are hunting for, which is next.
Look again at the groups= field: groups=1000(student),10(wheel). The student user is a member of a group called wheel, group number 10. That single membership is the whole story of sudo on RHEL.
On a stock RHEL or AlmaLinux system, the sudo configuration ships with one rule already active: any member of the wheel group may run any command as root. So the question "can I use sudo here?" reduces to "am I in wheel?", and id just answered it. You saw wheel in your groups, so sudo will work for you. If a user is not in wheel, sudo refuses them. The fix on the exam is usermod -aG wheel <name> to add them, a command you meet in full in the users module.
There is no output to reveal here, just a habit worth burning in: on any unfamiliar RHEL box, run id first. If you see wheel, you already know sudo is your fastest path to root.
The context= field at the end of id is your SELinux context. You do not act on it in this lesson, but seeing unconfined_u:unconfined_r:unconfined_t tells you this login is running unconfined, which is normal for an interactive shell. SELinux gets its own lessons later in the track.
Now the switch itself. Two tools, and the difference between them is the difference between a wasted five minutes and a clean exam.
su means substitute user (most people read it as "switch user"). Bare su with no name switches you to root, and it asks for the ROOT password. But there is a trap in how it switches. Written plainly, su keeps your CURRENT environment: your PATH, your working directory, your shell variables all stay as student had them. That matters because root's PATH includes /sbin and /usr/sbin, where admin tools like useradd and systemctl live, and student's PATH may not. So a bare su can leave you as root with commands mysteriously "not found."
The fix is one character: the hyphen. su - runs a full LOGIN shell as the target user. It resets the environment completely, loads root's PATH, and drops you in root's home directory /root, exactly as if root had logged in fresh. On the exam you always want su -, never bare su.
Verify the distinction the way a working engineer does, by asking whoami right after switching. In the practice box, confirm the command you would run to become root with a clean login shell:
su -
prompt: student@servera:~$ answer: su - output: hint: The switch-user command, then a space and a single hyphen. The hyphen is what makes it a login shell.
su - is the whole move. On a real machine it prompts for the root password, then hands you a root prompt sitting in /root with root's full PATH. Bare su (no hyphen) would also make you root, but it would keep student's environment, so admin tools in /sbin could vanish from your PATH. The hyphen is not decoration; it is the difference between a working root shell and a broken one. To target a specific person instead of root, name them: su - username gives that user a full login shell too.
su - needs the root password. Often you do not have it, or you do not want a full root shell, you just want to run ONE command with root power. That is sudo, which reads as substitute user do.
The key difference from su: sudo asks for YOUR password, not root's. It works because you are in wheel, which you confirmed with id. Put sudo in front of any command and that one command runs as root, then you drop straight back to your normal student shell. Nothing else changes.
A file only root can read is the honest test. /etc/shadow holds password hashes and is readable by root alone, so reading it proves the elevation worked. In the practice box, confirm the command that reads it with a single elevated command:
sudo cat /etc/shadow
prompt: student@servera:~$ answer: sudo cat /etc/shadow output: hint: The elevate-one-command word, then the ordinary command you want root to run: cat /etc/shadow.
sudo cat /etc/shadow runs just that cat as root, then returns you to student. On a real machine it prompts for YOUR password the first time, not root's, which is the whole appeal of sudo: you never need the root password if you are in wheel. When you want a full root shell instead of a single command, sudo -i gives you one, a root login shell just like su - but authenticated with your own password. Two flavors: sudo <command> for one action, sudo -i to stay as root.
Scaffolding off. No command is shown this time.
You are logged in as student and you have already run id, so you know you are in the wheel group. You do not know the root password and you do not want to hunt for it. You want to become root with a full login environment (root's PATH, root's home) using nothing but your OWN password.
prompt: student@servera:~$ answer: sudo -i output: hint: You want a root LOGIN shell but only your own password. That rules out su, which wants root's password. Reach for the sudo form that opens an interactive login shell.
sudo -i is the answer. su - would also give you a root login shell, but it demands the root password, which you do not have. Because you are in wheel, sudo -i authenticates with YOUR password and drops you into a full root login shell, same clean environment as su - but without ever needing root's secret. This is the move most engineers make first on the exam: sudo -i, then work as root from there. You recalled it from the difference between the two tools, which is exactly the recall the real machine will ask of you.
You earned this cheat sheet. Every row is something you just ran or just reasoned through:
The two habits that stick: run id first on any unfamiliar box to confirm wheel, and always take the login shell (su - or sudo -i), never the bare su that leaves you with a half-broken PATH.
Which password? su and su - ask for the TARGET user's password (root's, when becoming root). sudo and sudo -i ask for YOUR OWN password. Mixing these up is the single most common time-waster on this objective. When you are in wheel and do not have the root password, sudo -i is the reliable path to root.
The practice terminal has shown you the shape of identity and switching: whoami and id to read who you are, wheel as the group that unlocks sudo, su - for a login shell with the root password, and sudo -i for the same clean root shell using only your own. Every one of those you typed yourself.
Module 1, essential-tools, ends on one real RHEL 10 machine: the essential-tools capstone mission. A live system boots for you, you log in as an ordinary user, and the mission hands you objectives that need root. There you switch users for real, with a real password prompt, and read your identity with id against a live SELinux context. One difference from here: the mission shows no commands. You read the objective, you recall the switch, you type it. That recall is what makes it stick under exam pressure.
Finish the other essential-tools lessons, then go become root on a real machine.
Practice Login and User Switching in a real Linux terminal at The Linux Camp. Progress is verified automatically as you type commands on the machine.