Sun Microsystems, Inc.
spacerspacer
spacer   www.sun.com docs.sun.com | | |  
spacer
black dot
   
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z
    
 
System Administration Commandssu(1M)


NAME

 su - become super user or another user

SYNOPSIS

 su [-] [ username [ arg ...] ]

DESCRIPTION

 

The su command allows one to become another user without logging off or to assume a role. The default user name is root (super user).

To use su, the appropriate password must be supplied (unless the invoker is already root). If the password is correct, su creates a new shell process that has the real and effective user ID, group IDs, and supplementary group list set to those of the specified username. Additionally, the new shell's project ID is set to the default project ID of the specified user. See getdefaultproj(3PROJECT), setproject(3PROJECT). The new shell will be the shell specified in the shell field of username's password file entry (see passwd(4)). If no shell is specified, /usr/bin/sh is used (see sh(1)). If superuser privilege is requested and the shell for the superuser cannot be invoked using exec(2), /sbin/sh is used as a fallback. To return to normal user ID privileges, type an EOF character (CTRL-D) to exit the new shell.

Any additional arguments given on the command line are passed to the new shell. When using programs such as sh, an arg of the form -c string executes string using the shell and an arg of -r gives the user a restricted shell.

The following statements are true if the login shell is /usr/bin/sh or an empty string (which defaults to /usr/bin/sh) in the specific user's password file entry. If the first argument to su is a dash (-), the environment will be changed to what would be expected if the user actually logged in as the specified user. Otherwise, the environment is passed along, with the exception of $PATH, which is controlled by PATH and SUPATH in /etc/default/su.

All attempts to become another user using su are logged in the log file /var/adm/sulog (see sulog(4)).

SECURITY

 

su uses pam(3PAM) for authentication, account management, and session management.

The PAM configuration policy, listed through /etc/pam.conf, specifies the modules to be used for su. The following example shows a partial pam.conf file with entries for the su command using the authentication, account management, and session management module.

 
su   auth        requisite   pam_authtok_get.so.1
su   auth        required    pam_dhkeys.so.1
su   auth        required    pam_unix_auth.so.1

su   account     required    pam_unix_roles.so.1
su   account     required    pam_unix_projects.so.1
su   account     required    pam_unix_account.so.1

su   session     required    pam_unix_session.so.1

If there are no entries for the su service, then the entries for the other service will be used. If multiple authentication modules are listed, then the user may be prompted for multiple passwords.

EXAMPLES

 Example 1. Becoming User bin While Retaining Your Previously Exported Environment
 

To become user bin while retaining your previously exported environment, execute:
 
example% su bin

Example 2. Becoming User bin and Changing to bin's Login Environment
 

To become user bin but change the environment to what would be expected if bin had originally logged in, execute:
 
example% su - bin

Example 3. Executing command with user bin's Environment and Permissions
 

To execute command with the temporary environment and permissions of user bin, type:
 
example% su - bin -c "command args"

ENVIRONMENT VARIABLES

 

Variables with LD_ prefix are removed for security reasons. Thus, su bin will not retain previously exported variables with LD_ prefix while becoming user bin.

If any of the LC_* variables ( LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and LC_MONETARY) (see environ(5)) are not set in the environment, the operational behavior of su for each corresponding locale category is determined by the value of the LANG environment variable. If LC_ALL is set, its contents are used to override both the LANG and the other LC_* variables. If none of the above variables are set in the environment, the "C" (U.S. style) locale determines how su behaves.

LC_CTYPE
Determines how su handles characters. When LC_CTYPE is set to a valid value, su can display and handle text and filenames containing valid characters for that locale. su can display and handle Extended Unix Code (EUC) characters where any individual character can be 1, 2, or 3 bytes wide. su can also handle EUC characters of 1, 2, or more column widths. In the "C" locale, only characters from ISO 8859-1 are valid.
LC_MESSAGES
Determines how diagnostic and informative messages are presented. This includes the language and style of the messages, and the correct form of affirmative and negative responses. In the "C" locale, the messages are presented in the default form found in the program itself (in most cases, U.S. English).

FILES

 
$HOME/.profile
user's login commands for sh and ksh
/etc/passwd
system's password file
/etc/profile
system-wide sh and ksh login commands
/var/adm/sulog
log file
/etc/default/su
the default parameters in this file are:
SULOG
If defined, all attempts to su to another user are logged in the indicated file.
CONSOLE
If defined, all attempts to su to root are logged on the console.
PATH
Default path. (/usr/bin:)
SUPATH
Default path for a user invoking su to root. (/usr/sbin:/usr/bin)
SYSLOG
Determines whether the syslog(3C) LOG_AUTH facility should be used to log all su attempts. LOG_NOTICE messages are generated for su's to root, LOG_INFO messages are generated for su's to other users, and LOG_CRIT messages are generated for failed su attempts.
SLEEPTIME
If present, sets the number of seconds to wait before login failure is printed to the screen and another login attempt is allowed. Default is 4 seconds. Minimum is 0 seconds. Maximum is 5 seconds.

ATTRIBUTES

 

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPEATTRIBUTE VALUE
AvailabilitySUNWcsu

SEE ALSO

 

csh(1), env(1), ksh(1), login(1), roles(1), sh(1), syslogd(1M), exec(2), getdefaultproj(3PROJECT), setproject(3PROJECT), pam(3PAM), syslog(3C), pam.conf(4), passwd(4), profile(4), sulog(4), attributes(5), environ(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

NOTES

 

The pam_unix(5) module might not be supported in a future release. Similar functionality is provided by pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).


SunOS 5.9Go To TopLast Changed 24 Jan 2002

 
      
      
Copyright 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.