Su Must Be Suid To Work Properly ★ Full

Let’s look at the primary function of su : allowing a user to become root after authenticating.

| Feature | su (with SUID) | sudo (typically 0755) | |------------------------|--------------------------|--------------------------------| | | Yes | No (relies on other mechanisms, e.g., setuid on sudo binary or file capabilities) | | Authentication | Target user’s password | Own password (or none) | | Logging | Limited | Full command logging | | Granularity | All or nothing | Per-command, per-host |

: Without the SUID bit, su would essentially be a command that only works for users who already have the permissions to perform its actions. This defeats the purpose of having a command that allows users to temporarily gain elevated privileges. su must be suid to work properly

However, a common question arises among junior system administrators and curious Linux users: Why does the su binary need the SUID (Set User ID) bit set? Why can't it just run as a normal program?

In a standard Linux environment, when a user executes a binary, the resulting process generally inherits the User ID (UID) of the user who launched it. This is the core of the security model: Let’s look at the primary function of su

This "default denial" is the bedrock of multi-user security. If alice could run a program that simply declared, "I want to be root now," without a mechanism trusted by the kernel, the entire permission system would collapse.

The error message is a common roadblock for Linux users, particularly when working with Docker containers or embedded systems. It indicates that the su (substitute user) command lacks the necessary permission bits to authenticate and switch between user accounts. Why the SUID Bit is Necessary However, a common question arises among junior system

The SUID mechanism is a controlled violation of the standard security model. It allows a user to cross the boundary of "self" into the boundary of "other."