Right, so you’ve decided to elevate your privileges. Good for you. You’ve probably typed sudo a thousand times, but when you need a full, interactive root shell, the two incantations you’ll see most often are sudo -i and sudo su -. They look like they do the same thing, and in a lot of cases, the end result seems identical. But the devil, and a whole lot of security and environment nuance, is in the details. Let’s crack this nut open.

The Core Philosophical Difference

This is the most important concept to grasp, and it explains everything that follows. sudo -i (the -i stands for “initialize” or “interactive”) asks the sudo program itself to become root. It’s the “official” way to get a root shell through sudo. It plays by sudo’s rules, reads its configuration (/etc/sudoers), and respects whatever settings are in there.

On the other hand, sudo su - is a bit of a backdoor. You’re using sudo for one thing and one thing only: to run the su command as root. su (switch user) is a separate, older program that doesn’t know or care about sudo’s policies. You’re effectively saying, “Hey sudo, use your power to run the command su -,” and then su takes over and starts a root login shell. It’s a two-step process where the second step (su) operates outside of sudo’s immediate control.

The Environment: This is Where It Gets Messy

The most practical difference you’ll see is in your environment variables, like PATH, HOME, and USER. A properly configured system treats these two commands very differently.

sudo -i is designed to simulate a real initial root login. This is its killer feature. It performs a clean slate, resetting the environment to what a real root user would get if they logged in directly. It will source root’s ~/.profile, ~/.bashrc, etc. This means your PATH becomes the secure, system-default root PATH (usually /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin), which is crucial for avoiding accidentally running some sketchy script in your home directory that’s also called ls.

sudo su - also aims for this clean environment. The - (or -l) flag tells su to act as a login shell, which also does the cleanup and sources the root’s startup files.

So, if they both do that, what’s the big deal? Well, the difference is in the guarantee. Because sudo -i is one integrated command, it’s always supposed to reset the environment. The behavior of sudo su -, however, can be meddled with by sudo itself. Check this out:

$ env | grep SUDO
SUDO_USER=yourusername
SUDO_COMMAND=/bin/su
SUDO_UID=1000

See those SUDO_* variables? They’re set by the sudo command. When you run sudo su -, su gets executed, but it inherits that SUDO_USER environment variable. A properly configured su command will still wipe the environment and ignore it, but it’s a potential leak. sudo -i is designed to handle these variables correctly from the start.

Now, let’s talk about the chaotic evil version you’ve definitely used: sudo su (without the dash). Never do this. This runs su but keeps your current user’s environment polluted all the way through. Your PATH is still your user’s PATH. It’s a security nightmare and a fantastic way to cause bizarre, hard-to-debug issues. The dash is not a suggestion; it’s the entire point.

The Security and Audit Trail Implications

Remember that philosophical difference? It matters for logging. A well-configured sudo setup logs every command. Let’s see what the logs (check /var/log/auth.log or journalctl -t sudo) say for each.

For sudo -i:

sudo: yourusername : TTY=pts/0 ; PWD=/home/yourusername ; USER=root ; COMMAND=/bin/bash -i

It’s very clear. User “yourusername” started an interactive root shell.

For sudo su -:

sudo: yourusername : TTY=pts/0 ; PWD=/home/yourusername ; USER=root ; COMMAND=/bin/su -

The log shows that you ran /bin/su -. It doesn’t show what you did after that. Once you’re in the su shell, any commands you run (like rm -rf /some/important/directory) are not logged by sudo. They might be logged by su or syslog, but that’s a separate, often less granular, log file. sudo -i provides a cleaner, more contained audit trail from start to finish.

Best Practice and The Final Verdict

So, which one should you use? Always prefer sudo -i.

It’s the purpose-built tool for the job. It’s more predictable, more secure by default, provides a cleaner audit trail, and is the “correct” way according to the design of the sudo ecosystem. It’s one fewer moving part.

Use sudo su - only when you’re on a system so old or bizarrely configured that sudo -i doesn’t work as expected (which is rare). Or, if you’re like me and have been typing sudo su - for fifteen years, it’s a tough habit to break—but breaking it is the right move.

The bottom line: sudo -i is your brilliant friend who follows the rules to keep you safe. sudo su - is the clever friend who knows a shortcut that usually works. And sudo su is the friend who suggests mixing cheap beer and cheaper tequila. It seems like a good idea at the time, but you will regret it.