Understanding the Linux Root User and su Command: Complete Guide for LFCS

Welcome to Part 3 of the LFCS Certification - Phase 1 series! In the previous posts, you learned about Linux distributions and group-based privilege management. Now we're diving deep into the root user - the most powerful account in Linux - and the su command for switching users and gaining root access.

💡

🎯 What You'll Learn: In this guide, you'll master:

What the root user is and why it's special (UID 0)
How root differs from Windows Administrator
Root user's direct relationship with the Linux kernel
The su command for switching users
Critical difference between su and su - (login shell)
How /etc/profile and environment variables are loaded
When to use su vs sudo
Security implications of root access
Best practices for working with root
20+ comprehensive practice labs

Series: LFCS Certification Preparation - Phase 1 (Post 3 of 52) Previous: Part 2 - Understanding Groups (wheel and sudo) Next: Part 4 - Mastering sudo for Temporary Privilege Escalation

What is the Root User?

The root user is the superuser account in Linux - the most powerful account with unrestricted access to everything on the system.

Key Characteristics of Root

Attribute	Value	Significance
Username	root	Default superuser account name
User ID (UID)	0	UID 0 = unlimited privileges
Group ID (GID)	0	Root group
Home Directory	/root	NOT /home/root!
Shell	/bin/bash	Default command interpreter
Permissions	Unrestricted	Can do absolutely anything

Checking Root User Information

Let's examine the root user's entry in /etc/passwd:

grep "^root:" /etc/passwd

Output:

root:x:0:0:root:/root:/bin/bash

Breaking down each field:

root:x:0:0:root:/root:/bin/bash
│    │ │ │ │    │     └─ Login shell
│    │ │ │ │    └─────── Home directory
│    │ │ │ └──────────── GECOS field (user info)
│    │ │ └─────────────── GID (Group ID) = 0
│    │ └───────────────── UID (User ID) = 0
│    └─────────────────── Password (x = stored in /etc/shadow)
└──────────────────────── Username

💡

💡 Critical Fact: The magic of root is UID 0, not the username. Any account with UID 0 has full root privileges, regardless of its name. The kernel only checks the UID!

What Makes Root Special?

When logged in as root, you can:

Read, write, delete ANY file on the system
Modify system configuration files
Install and remove software
Create, modify, delete users and groups
Change file ownership and permissions
Access hardware directly
Kill any process (including other users' processes)
Mount and unmount filesystems
Modify kernel parameters
Bypass most security restrictions

⚠️

⚠️ With great power comes great responsibility! As root, there's no "Are you sure?" prompt. rm -rf / will delete your entire system without hesitation.

Root vs Windows Administrator

Many newcomers to Linux compare the root user to Windows Administrator. While similar, there are important differences:

Aspect	Linux Root	Windows Administrator
Account Type	Single superuser account	Group membership (Administrators group)
Identifier	UID 0	SID (Security Identifier)
Restrictions	Virtually none (can do anything)	Some UAC prompts and protected system files
Daily Usage	NOT recommended	Common (with UAC)
Elevation	su or sudo	UAC (User Account Control)
Philosophy	Explicit elevation when needed	Always elevated with prompts

Key Philosophical Difference

Linux approach: Regular users have minimal privileges. Explicitly elevate to root only when needed using su or sudo.

Windows approach: Administrators often work with elevated privileges, with UAC providing confirmation prompts.

Result: Linux's approach is more secure by default - you must consciously decide to perform privileged operations.

Root User's Relationship with the Linux Kernel

Understanding how root interacts with the kernel is crucial for system administration.

The Kernel and UID 0

Linux Kernel Permission Model

User Space (Applications)

• Regular User (UID 1000): Limited permissions

• Root User (UID 0): Unlimited permissions

↓ System Calls ↓

Linux Kernel

• Checks UID of calling process

• If UID = 0 → Allow operation

• If UID ≠ 0 → Check permissions

↓ Hardware Access ↓

Hardware Resources

• CPU, Memory, Disk, Network

• Only kernel can access directly

How the Kernel Treats Root

When a process makes a system call, the kernel checks:

What is the UID of this process?
- If UID = 0: Bypass most permission checks and allow the operation
- If UID ≠ 0: Check file permissions, capabilities, and other restrictions
Example: Opening a protected file

# As regular user
cat /etc/shadow
# Kernel checks: UID = 1000, file permissions = 000 (no access)
# Result: Permission denied

# As root
cat /etc/shadow
# Kernel checks: UID = 0
# Result: Access granted (UID 0 bypasses permission checks)

Linux Capabilities (Modern Approach)

Modern Linux uses capabilities to divide root privileges into distinct units:

CAP_CHOWN - Change file ownership
CAP_KILL - Kill any process
CAP_NET_ADMIN - Network administration
CAP_SYS_ADMIN - Various system operations

Root (UID 0) has all capabilities by default. This allows more granular privilege management.

✅

✅ For LFCS: Understand that root's power comes from UID 0, which the kernel treats specially. This is fundamental to Linux security and privilege escalation.

Understanding the su Command

The su command stands for "substitute user" or "switch user". It allows you to become another user, most commonly root.

Basic su Usage

Switch to root:

su -

Example session:

[centos9@centos ~]$ whoami
centos9

[centos9@centos ~]$ su -
Password:           # Enter root password
[root@centos ~]# whoami
root

[root@centos ~]# id
uid=0(root) gid=0(root) groups=0(root)

[root@centos ~]# exit
logout
[centos9@centos ~]$

Explanation of what happened:

su - prompts for root password
Shell changes to root user (UID 0)
Prompt changes to # (indicates root)
exit returns to original user

su Command Syntax

su [options] [username]

Command	Meaning	What It Does
su -	Switch to root with login shell	Become root, load root's environment
su	Switch to root without login shell	Become root, keep current environment
su - username	Switch to specific user with login	Become user, load their environment
su username	Switch to specific user without login	Become user, keep environment

Switch to specific user:

su - john

This switches to user john with a full login shell.

The Critical Difference: su vs su -

This is one of the most important concepts for LFCS and real-world system administration.

What's the Difference?

Aspect	su (no dash)	su - (with dash)
Shell Type	Non-login shell	Login shell
Working Directory	Stays in current directory	Changes to target user's home
Environment Variables	Inherits current user's environment	Loads target user's environment
PATH variable	Keeps your PATH	Gets target user's PATH
Runs	~/.bashrc only	/etc/profile, ~/.bash_profile, ~/.bashrc
Recommended	❌ Rarely	✅ Almost always

Practical Example: su vs su -

Let's see the difference in action:

Using su (without dash):

[centos9@centos ~]$ pwd
/home/centos9

[centos9@centos ~]$ echo $USER
centos9

[centos9@centos ~]$ su
Password:
[root@centos centos9]# pwd
/home/centos9              # Still in centos9's directory!

[root@centos centos9]# echo $USER
centos9                    # $USER still shows centos9!

[root@centos centos9]# whoami
root                       # But actually root

[root@centos centos9]# exit

Using su - (with dash):

[centos9@centos ~]$ pwd
/home/centos9

[centos9@centos ~]$ echo $USER
centos9

[centos9@centos ~]$ su -
Password:
[root@centos ~]# pwd
/root                      # Changed to root's home!

[root@centos ~]# echo $USER
root                       # $USER correctly shows root

[root@centos ~]# whoami
root

[root@centos ~]# exit
logout

⚠️

⚠️ Always use su - with the dash! Using su without the dash can cause problems because commands may not be in your PATH, and configuration files won't be loaded properly.

Understanding login shells is crucial for knowing what happens when you run su -.

A login shell is the first shell you get when logging into a system. It:

Reads and executes system-wide configuration from /etc/profile
Reads and executes user-specific configuration from ~/.bash_profile or ~/.profile
Sets up the user's environment completely

Configuration Files Loading Order

When you run su -, these files are executed in order:

User runs: su -

↓

/etc/profile

System-wide environment

↓

/etc/profile.d/*.sh

Additional system-wide scripts

↓

~/.bash_profile

User-specific environment (or ~/.profile)

↓

~/.bashrc

User-specific aliases and functions

↓

Shell Ready!

/etc/profile: System-Wide Configuration

Let's look at what /etc/profile does:

cat /etc/profile

Common contents:

# /etc/profile

# System-wide environment and startup programs

# Set PATH
pathmunge () {
    case ":${PATH}:" in
        *:"$1":*)
            ;;
        *)
            if [ "$2" = "after" ] ; then
                PATH=$PATH:$1
            else
                PATH=$1:$PATH
            fi
    esac
}

# Path manipulation
pathmunge /usr/local/bin
pathmunge /usr/local/sbin
pathmunge /usr/sbin

# Set HOSTNAME
HOSTNAME=`/usr/bin/hostname 2>/dev/null`

# Set default umask
umask 022

# Load scripts from /etc/profile.d/
for i in /etc/profile.d/*.sh ; do
    if [ -r "$i" ]; then
        . "$i"
    fi
done

Key things /etc/profile does:

Sets the PATH environment variable
Sets the hostname
Sets default file creation mask (umask)
Loads additional scripts from /etc/profile.d/

Checking Your Environment

After su -:

[centos9@centos ~]$ su -
Password:
[root@centos ~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin

[root@centos ~]# echo $HOME
/root

[root@centos ~]# echo $USER
root

[root@centos ~]# pwd
/root

All environment variables are properly set for root!

When to Use su vs sudo

Both su and sudo elevate privileges, but they work differently:

Aspect	su	sudo
Password Required	Target user's password (root)	Your own password
Session Type	Full root shell session	Single command execution
Security	Less secure (root password shared)	More secure (no root password needed)
Auditability	Harder to track (all actions as root)	Better logging (knows who ran what)
Use Case	Multiple admin tasks, troubleshooting	Single commands, scripting
Risk	Higher (easy to forget you're root)	Lower (each command requires sudo)

When to Use su

Use su - when:

You need to run multiple commands as root
You're troubleshooting and need an interactive root session
You're doing system maintenance or configuration
You need to work as root for an extended period

Example scenario:

# Need to edit multiple system files
su -
vi /etc/hosts
vi /etc/hostname
vi /etc/sysconfig/network-scripts/ifcfg-eth0
systemctl restart network
exit

When to Use sudo

Use sudo when:

Running a single administrative command
In production environments (better logging)
When root password shouldn't be shared
For automated scripts

Example scenario:

# Single command
sudo systemctl restart httpd

# Quick package installation
sudo dnf install nginx -y

✅

✅ Best Practice: Prefer sudo for most tasks. Use su - only when you need an extended root session. Never use su without the dash unless you have a specific reason.

Exiting Root Shell

Always remember to exit root shell when done:

[root@centos ~]# exit
logout
[centos9@centos ~]$

Or use Ctrl+D keyboard shortcut.

Why it's important:

Prevents accidental commands as root
Closes security exposure window
Good security hygiene

🧪 Practice Labs

Time to practice working with root and the su command!

Lab 1: Exploring the Root User (Beginner)

Check if root user exists:
```
grep "^root:" /etc/passwd
```
Examine root's UID and GID:
```
id root
```
Check root's home directory:
```
getent passwd root | cut -d: -f6
```

Try to access /root as regular user:

ls /root
# Should get: Permission denied

Check /root permissions:
```
ls -ld /root
```

Lab 2: First Time Using su (Beginner)

Check your current user:
```
whoami
id
```
Switch to root with login shell:
```
su -
# Enter root password
```
Verify you're now root:
```
whoami
id
echo $USER
pwd
```
Check root's PATH:
```
echo $PATH
```
List files in /root:
```
ls -la /root
```
Exit root shell:
```
exit
```
Verify you're back to regular user:
```
whoami
```

Lab 3: Comparing su vs su - (Intermediate)

Note your current directory and environment:
```
pwd
echo $USER
echo $HOME
echo $PATH
```

Use su WITHOUT dash:

su
# Enter root password
pwd           # Still in your home directory!
echo $USER    # May still show your username
echo $HOME    # Shows root's home but you're not there
exit

Use su WITH dash:

su -
# Enter root password
pwd           # Now in /root
echo $USER    # Shows root
echo $HOME    # Shows /root
exit

Document the differences you observed

Lab 4: Switching Between Users (Intermediate)

As root, switch to another user:

su -
su - centos9        # Switch from root to centos9
whoami
pwd
exit                # Back to root
exit                # Back to original user

Create a test user:

sudo useradd -m testuser1
sudo passwd testuser1

Switch to test user:
```
su - testuser1
whoami
pwd
exit
```

Lab 5: Environment Variables Investigation (Intermediate)

As regular user, check environment:
```
env | grep -E 'USER|HOME|PATH|SHELL'
```

Switch to root with su -:

su -
env | grep -E 'USER|HOME|PATH|SHELL'
# Compare the differences
exit

Check which config files were loaded:

su -
# Check if .bash_profile was loaded
grep "profile" ~/.bash_profile
exit

Lab 6: Testing Root Permissions (Intermediate)

As regular user, try to read /etc/shadow:

cat /etc/shadow
# Should fail: Permission denied

Check file permissions:
```
ls -l /etc/shadow
```
Read as root:
```
su -
cat /etc/shadow
# Works!
exit
```

As regular user, try to create file in /etc:

touch /etc/testfile
# Should fail: Permission denied

As root:

su -
touch /etc/testfile
ls -l /etc/testfile
rm /etc/testfile
exit

Lab 7: /etc/profile Analysis (Advanced)

View /etc/profile contents:
```
cat /etc/profile
```
Check what's in /etc/profile.d/:
```
ls -la /etc/profile.d/
```

Add custom message to test profile loading:

su -
echo 'echo "Profile loaded!"' >> /root/.bash_profile
exit
su -
# Should see: Profile loaded!
exit

Clean up:

su -
sed -i '/Profile loaded/d' /root/.bash_profile
exit

Lab 8: PATH Variable Comparison (Advanced)

Compare PATH as user vs root:

echo "User PATH:"
echo $PATH

su -
echo "Root PATH:"
echo $PATH
exit

Check where commands are located:

which useradd
which systemctl
which dnf

Notice these are in /usr/sbin - in root's PATH but not always in user's PATH

Lab 9: Security Testing (Advanced)

Test that UID 0 is what matters:
```
su -
id
# Note: uid=0(root)
exit
```

Check root's capabilities:

su -
# Try operations only root can do:
systemctl status sshd
cat /var/log/secure | tail -10
useradd tempuser
userdel tempuser
exit

Lab 10: Creating a Safe Root Session Script (Advanced)

Create a script to safely work as root:

#!/bin/bash
# safe-root-session.sh

echo "================================================"
echo "  ENTERING ROOT SESSION"
echo "================================================"
echo "WARNING: You are about to become root!"
echo "Current user: $(whoami)"
echo ""
read -p "Type 'yes' to continue: " confirm

if [ "$confirm" != "yes" ]; then
    echo "Cancelled."
    exit 0
fi

echo ""
echo "Switching to root..."
echo "Remember to type 'exit' when done!"
echo "================================================"
su -
echo ""
echo "================================================"
echo "  ROOT SESSION ENDED"
echo "================================================"
echo "Back to regular user: $(whoami)"

Save and use:

chmod +x safe-root-session.sh
./safe-root-session.sh

Lab 11-15: Real-World Scenarios

Lab 11: System Update as Root

Perform system updates using root shell:

su -
dnf check-update
dnf update -y
exit

Lab 12: Log File Analysis

Analyze system logs (requires root):

su -
tail -50 /var/log/messages
grep "error" /var/log/messages | tail -20
exit

Lab 13: User Management Session

Create and configure multiple users as root:

su -
useradd user1
useradd user2
passwd user1
passwd user2
usermod -aG wheel user1
id user1
id user2
exit

Lab 14: System Configuration Changes

Make system-wide configuration changes:

su -
vi /etc/hosts
# Add custom entries
systemctl restart networking
exit

Lab 15: Emergency System Repair

Simulate fixing a system issue:

su -
# Check disk space
df -h
# Check memory
free -h
# Check running processes
ps aux | head -20
# Clean up temporary files
rm -rf /tmp/*
exit

Lab 16-20: Advanced Challenges

Lab 16: Compare what files are created when switching with su vs su - (check history files)

Lab 17: Create a script that checks if you're root and refuses to run if you are

Lab 18: Time how long it takes for different shells to start (su vs su -)

Lab 19: Document all environment variables that change between regular user and root

Lab 20: Create a custom /etc/profile.d/ script that runs when any user logs in

📚 Best Practices

✅ Root User and su Best Practices

Always use su - with the dash
- Loads proper environment
- Changes to correct home directory
- Runs login scripts
Exit root shell immediately when done
- Don't stay logged in as root
- Minimize time at elevated privileges
- Use exit or Ctrl+D
Prefer sudo over su for single commands
- Better auditing and logging
- No need to share root password
- Principle of least privilege
Never browse the internet as root
- Major security risk
- Malware has full system access
- Always use regular user for web
Double-check commands before pressing Enter
- No undo for rm -rf /
- Typos can be catastrophic
- Think before you type
Use descriptive prompts
- Make root prompt obvious (usually # vs $)
- Consider colored prompts for root
- Visual reminder you're in privileged mode
Don't disable root account unless necessary
- Useful for recovery scenarios
- Single-user mode needs root access
- Keep it available but secured
Set strong root password
- Long and complex
- Different from user passwords
- Store securely
Monitor root access
- Check /var/log/secure regularly
- Investigate unexpected root logins
- Set up alerts for root access
Document why you need root access
- Keep notes of admin tasks
- Helps troubleshooting later
- Good for auditing

🚨 Common Pitfalls to Avoid

⚠️

❌ Mistakes to Avoid

Using su without the dash

su              # WRONG - incomplete environment
su -            # CORRECT - full login shell

Forgetting you're root
- Easy to accidentally run destructive commands
- Always check prompt before dangerous operations
- Use whoami if unsure
Leaving root shell open and walking away
- Major security risk
- Anyone can use your session
- Always exit before leaving
Sharing root password widely
- Use sudo instead
- Limit who knows root password
- Change it when people leave team
Running applications as root
- Don't run GUI applications as root
- Don't run web browsers as root
- Don't run text editors unless needed
Not checking current directory as root
```
su -
# Always check where you are!
pwd
```
Assuming you have root access
- Not all users can su to root
- Check if you're in wheel/sudo group first
- Have backup plan
Using root for regular work
- Root is for administration only
- Do regular work as regular user
- Only elevate when needed
Not testing commands first
- Test with non-destructive operations
- Use --dry-run flags when available
- Verify syntax before execution
Ignoring the consequences of root access
- Every command has system-wide impact
- No safety net
- Be extremely careful

📝 Command Cheat Sheet

Basic su Commands

# Switch to root with login shell (RECOMMENDED)
su -

# Switch to root without login shell (NOT recommended)
su

# Switch to specific user with login shell
su - username

# Switch to specific user without login shell
su username

# Exit root shell
exit
# or press Ctrl+D

Checking Current User

# Show current username
whoami

# Show detailed user information
id

# Show user ID only
id -u

# Show username only
id -un

# Show all environment variables
env

# Show specific variables
echo $USER
echo $HOME
echo $PATH
echo $SHELL

Root User Information

# View root's entry in passwd file
grep "^root:" /etc/passwd

# Check root's details
id root

# View root's home directory
ls -la /root

# Check root's shell
getent passwd root | cut -d: -f7

# View root's PATH (as root)
su -
echo $PATH

Environment and Configuration

# View system-wide profile
cat /etc/profile

# List profile.d scripts
ls -la /etc/profile.d/

# View user's bash profile
cat ~/.bash_profile

# View user's bashrc
cat ~/.bashrc

# Show all aliases
alias

# Show all shell functions
declare -F

Permission Testing

# Try to access root-only file
cat /etc/shadow          # Will fail as regular user

# Access as root
su -
cat /etc/shadow          # Works as root
exit

# Check file permissions
ls -l /etc/shadow
ls -ld /root

# Test write access
touch /etc/testfile      # Fails as user
su -
touch /etc/testfile      # Works as root
rm /etc/testfile
exit

Comparing su vs su -

# Test non-login shell
su
pwd                      # Still in your directory
echo $USER              # May show your user
exit

# Test login shell
su -
pwd                      # Now in /root
echo $USER              # Shows root
exit

Advanced Usage

# Run single command as root
su -c "command"

# Example: Check root's crontab
su -c "crontab -l"

# Switch to root then another user
su -
su - otheruser
whoami
exit
exit

# Check who can become root (wheel group members)
getent group wheel

🎯 Key Takeaways

✅ Remember These Points

Root is UID 0 - That's what gives unlimited power, not the name
Root can do anything - Read, write, delete, modify everything
Root's home is /root - NOT /home/root
su = substitute user - Become another user (usually root)
Always use su - with dash - Loads proper environment and changes directory
su without dash is dangerous - Incomplete environment causes problems
Exit immediately when done - Don't stay as root longer than needed
Root is not Administrator - More powerful, less restricted than Windows Admin
Kernel treats UID 0 specially - Bypasses most permission checks
Login shell runs /etc/profile - Sets up PATH and environment
Prefer sudo over su - Better security, logging, and auditing
Root password = all access - Protect it carefully, share minimally
No undo as root - Commands execute immediately without confirmation
Visual cues matter - # prompt means root, $ means regular user
Test in low-risk environments first - Practice before production

🚀 What's Next?

Now that you understand the root user and the su command, you're ready to learn about sudo - the safer, more modern approach to privilege escalation!

In the next post (Part 4), we'll cover:

What sudo is and why it's safer than su
Detailed sudo vs su comparison
Basic sudo usage and command syntax
Using sudo -i for interactive root shell
Default admin users on Ubuntu and RedHat
sudo timeout and password caching
sudo logging and auditability
Best practices for sudo usage

Coming Up in Phase 1:

Part 5: Creating and Managing sudo Configuration (/etc/sudoers, visudo)
Part 6: Linux Command Basics (case sensitivity, options)
Part 7: Essential Navigation Commands (ls, pwd, cd, whoami)
And 45 more posts!

✅

🎉 Congratulations! You've completed Part 3 of the LFCS Certification series. You now understand the Linux root user, the difference between su and su -, and how the kernel treats UID 0.

Practice is critical! Complete the 20 practice labs to build confidence working with root access. Understanding root is fundamental to all Linux system administration.

Remember: With great power comes great responsibility. Always think before you type as root!

💬 Discussion

I'd love to hear about your experience:

Have you accidentally broken something as root? (We all have!)
Do you prefer su or sudo for your admin tasks?
What's your strategy for remembering when you're logged in as root?
Any close calls with dangerous root commands?

Connect with me:

🐙 GitHub - LFCS practice scripts
📧 Contact - Questions about LFCS

This is Part 3 of 52 in the LFCS Certification - Phase 1 series. Stay tuned for Part 4: Mastering sudo for Temporary Privilege Escalation!