SU(1M)SU(1M)NAMEsu - become superuser or another user
SYNOPSISsu [-] [username [arg...]]
The su command allows one to become another user without logging off or
to assume a role. The default user name is root (superuser).
To use su, the appropriate password must be supplied (unless the
invoker is already root). If the password is correct, su creates a new
shell process that has the real and effective user ID, group IDs, and
supplementary group list set to those of the specified username. Addi‐
tionally, the new shell's project ID is set to the default project ID
of the specified user. See getdefaultproj(3PROJECT), setpro‐
ject(3PROJECT). The new shell will be the shell specified in the shell
field of username's password file entry (see passwd(4)). If no shell is
specified, /usr/bin/sh is used (see sh(1)). If superuser privilege is
requested and the shell for the superuser cannot be invoked using
exec(2), /sbin/sh is used as a fallback. To return to normal user ID
privileges, type an EOF character (CTRL-D) to exit the new shell.
Any additional arguments given on the command line are passed to the
new shell. When using programs such as sh, an arg of the form -c
string executes string using the shell and an arg of -r gives the user
a restricted shell.
To create a login environment, the command "su -" does the following:
o In addition to what is already propagated, the LC* and LANG
environment variables from the specified user's environment
are also propagated.
o Propagate TZ from the user's environment. If TZ is not found
in the user's environment, su uses the TZ value from the
TIMEZONE parameter found in /etc/default/login.
o Set MAIL to /var/mail/new_user.
If the first argument to su is a dash (-), the environment will be
changed to what would be expected if the user actually logged in as the
specified user. Otherwise, the environment is passed along, with the
exception of $PATH, which is controlled by PATH and SUPATH in
All attempts to become another user using su are logged in the log file
/var/adm/sulog (see sulog(4)).
SECURITYsu uses pam(3PAM) with the service name su for authentication, account
management, and credential establishment.
Example 1 Becoming User bin While Retaining Your Previously Exported
To become user bin while retaining your previously exported environ‐
example% su bin
Example 2 Becoming User bin and Changing to bin's Login Environment
To become user bin but change the environment to what would be expected
if bin had originally logged in, execute:
example% su - bin
Example 3 Executing command with user bin's Environment and Permissions
To execute command with the temporary environment and permissions of
user bin, type:
example% su - bin -c "command args"
Variables with LD_ prefix are removed for security reasons. Thus, su
bin will not retain previously exported variables with LD_ prefix while
becoming user bin.
If any of the LC_* variables ( LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COL‐
LATE, LC_NUMERIC, and LC_MONETARY) (see environ(5)) are not set in the
environment, the operational behavior of su for each corresponding
locale category is determined by the value of the LANG environment
variable. If LC_ALL is set, its contents are used to override both the
LANG and the other LC_* variables. If none of the above variables are
set in the environment, the "C" (U.S. style) locale determines how su
Determines how su handles characters. When LC_CTYPE is
set to a valid value, su can display and handle text and
filenames containing valid characters for that locale.
su can display and handle Extended Unix Code (EUC) char‐
acters where any individual character can be 1, 2, or 3
bytes wide. su can also handle EUC characters of 1, 2,
or more column widths. In the "C" locale, only charac‐
ters from ISO 8859-1 are valid.
Determines how diagnostic and informative messages are
presented. This includes the language and style of the
messages, and the correct form of affirmative and nega‐
tive responses. In the "C" locale, the messages are pre‐
sented in the default form found in the program itself
(in most cases, U.S. English).
user's login commands for sh and ksh
system's password file
system-wide sh and ksh login commands
the default parameters in this file are:
If defined, all attempts to su to
another user are logged in the indi‐
If defined, all attempts to su to root
are logged on the console.
Default path. (/usr/bin:)
Default path for a user invoking su to
Determines whether the syslog(3C)
LOG_AUTH facility should be used to
log all su attempts. LOG_NOTICE mes‐
sages are generated for su's to root,
LOG_INFO messages are generated for
su's to other users, and LOG_CRIT mes‐
sages are generated for failed su
the default parameters in this file are:
Sets the TZ environment variable of
SEE ALSOcsh(1), env(1), ksh(1), login(1), roles(1), sh(1), syslogd(1M),
exec(2), getdefaultproj(3PROJECT), setproject(3PROJECT), pam(3PAM),
pam_authenticate(3PAM), pam_acct_mgmt(3PAM), pam_setcred(3PAM),
pam.conf(4), passwd(4), profile(4), sulog(4), syslog(3C),
Feb 26, 2004 SU(1M)