su(1M) System Administration Commands su(1M)NAMEsu - become superuser or another user
SYNOPSISsu [-] [ username [ arg...]]
DESCRIPTION
The su command allows one to become another user without logging off or
to assume a role. The default user name is root (superuser).
To use su, the appropriate password must be supplied (unless the
invoker is already root). If the password is correct, su creates a new
shell process that has the real and effective user ID, group IDs, and
supplementary group list set to those of the specified username. Addi‐
tionally, the new shell's project ID is set to the default project ID
of the specified user. See getdefaultproj(3PROJECT), setpro‐
ject(3PROJECT). The new shell will be the shell specified in the shell
field of username's password file entry (see passwd(4)). If no shell is
specified, /usr/bin/sh is used (see sh(1)). If superuser privilege is
requested and the shell for the superuser cannot be invoked using
exec(2), /sbin/sh is used as a fallback. To return to normal user ID
privileges, type an EOF character (<CTRL-D>) to exit the new shell.
Any additional arguments given on the command line are passed to the
new shell. When using programs such as sh, an arg of the form -c string
executes string using the shell and an arg of -r gives the user a
restricted shell.
To create a login environment, the command "su -" does the following:
· In addition to what is already propagated, the LC* and LANG envi‐
ronment variables from the specified user's environment are also
propagated.
· Propagate TZ from the user's environment. If TZ is not found in
the user's environment, su uses the TZ value from the TIMEZONE
parameter found in /etc/default/login.
· Set MAIL to /var/mail/new_user.
If the first argument to su is a dash (-), the environment will be
changed to what would be expected if the user actually logged in as the
specified user. Otherwise, the environment is passed along, with the
exception of $PATH, which is controlled by PATH and SUPATH in
/etc/default/su.
All attempts to become another user using su are logged in the log file
/var/adm/sulog (see sulog(4)).
SECURITYsu uses pam(3PAM) with the service name su for authentication, account
management, and credential establishment.
EXAMPLES
Example 1: Becoming User bin While Retaining Your Previously Exported
Environment
To become user bin while retaining your previously exported environ‐
ment, execute:
example% su bin
Example 2: Becoming User bin and Changing to bin's Login Environment
To become user bin but change the environment to what would be expected
if bin had originally logged in, execute:
example% su - bin
Example 3: Executing command with user bin's Environment and Permis‐
sions
To execute command with the temporary environment and permissions of
user bin, type:
example% su - bin -c "command args"
ENVIRONMENT VARIABLES
Variables with LD_ prefix are removed for security reasons. Thus, su
bin will not retain previously exported variables with LD_ prefix while
becoming user bin.
If any of the LC_* variables ( LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COL‐
LATE, LC_NUMERIC, and LC_MONETARY) (see environ(5)) are not set in the
environment, the operational behavior of su for each corresponding
locale category is determined by the value of the LANG environment
variable. If LC_ALL is set, its contents are used to override both the
LANG and the other LC_* variables. If none of the above variables are
set in the environment, the "C" (U.S. style) locale determines how su
behaves.
LC_CTYPE Determines how su handles characters. When LC_CTYPE is
set to a valid value, su can display and handle text
and filenames containing valid characters for that
locale. su can display and handle Extended Unix Code
(EUC) characters where any individual character can be
1, 2, or 3 bytes wide. su can also handle EUC charac‐
ters of 1, 2, or more column widths. In the "C" locale,
only characters from ISO 8859-1 are valid.
LC_MESSAGES Determines how diagnostic and informative messages are
presented. This includes the language and style of the
messages, and the correct form of affirmative and nega‐
tive responses. In the "C" locale, the messages are
presented in the default form found in the program
itself (in most cases, U.S. English).
FILES
$HOME/.profile user's login commands for sh and ksh
/etc/passwd system's password file
/etc/profile system-wide sh and ksh login commands
/var/adm/sulog log file
/etc/default/su the default parameters in this file are:
SULOG If defined, all attempts to su
to another user are logged in
the indicated file.
CONSOLE If defined, all attempts to su
to root are logged on the con‐
sole.
PATH Default path. (/usr/bin:)
SUPATH Default path for a user invok‐
ing su to root.
(/usr/sbin:/usr/bin)
SYSLOG Determines whether the sys‐
log(3C) LOG_AUTH facility
should be used to log all su
attempts. LOG_NOTICE messages
are generated for su's to root,
LOG_INFO messages are generated
for su's to other users, and
LOG_CRIT messages are generated
for failed su attempts.
/etc/default/login the default parameters in this file are:
TIMEZONE Sets the TZ environment vari‐
able of the shell.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWcsu │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOcsh(1), env(1), ksh(1), login(1), roles(1), sh(1), syslogd(1M),
exec(2), getdefaultproj(3PROJECT), setproject(3PROJECT), pam(3PAM),
pam_authenticate(3PAM), pam_acct_mgmt(3PAM), pam_setcred(3PAM),
pam.conf(4), passwd(4), profile(4), sulog(4), syslog(3C),
attributes(5), environ(5)SunOS 5.10 26 Feb 2004 su(1M)