|
|
HP-UX Reference Volume 1 of 5 > ssu(1) |
|
NAMEsu — switch user DESCRIPTIONThe su (set user or superuser) command allows one user to become another user without logging out. username is the name of a user defined in the /etc/passwd file (see passwd(4)). The default name is root (that is, superuser). To use su, the appropriate password must be supplied unless the current user is superuser. If a valid password is entered, su executes a new shell with the real and effective user ID, real and effective group ID, and group access list set to that of the specified user. The new shell is the one specified in the shell field of the new user's entry in the password file, /etc/passwd. The arguments are passed along to the new shell for execution, permitting the user to run shell procedures with the new user's privileges. When exiting from the new shell, the previous username and environment are restored. If the - option is specified, the new shell starts up as if the new user had initiated a new login session. Exceptions are as follows:
If the - option is omitted, the new shell starts as if a subshell was invoked. Exceptions are as follows:
If the shell specified in /etc/passwd is /usr/bin/sh, su sets the value of parameter 0 in the new shell (referenced as $0) to su. If the - option of the su command is specified, su sets parameter 0 to -su. If the shell specified in /etc/passwd is not /usr/bin/sh, su sets the value of parameter 0 in the new shell to shellname. If the - option of the su command is specified, su sets parameter 0 to -shellname. For example, if the Korn shell is invoked, the value of shellname will be either ksh or -ksh. By comparison, the login command always sets parameter 0 to -shellname. All attempts to become another user are logged in /var/adm/sulog, including failures. Successful attempts are flagged with +; failures, with -. They are also logged with syslog() (see syslog(3C)). HP-UX Smart Card LoginIf the user account is configured to use a Smart Card, the user password is stored in the card. This password has characteristics identical to a normal password stored on the system. In order to su using a Smart Card account, the Smart Card from the destination user account must be inserted into the Smart Card reader. The user is prompted for a PIN instead of a password during authentication. Enter PIN: The password is retrieved automatically from the Smart Card when a valid PIN is entered. Therefore, it is not necessary to know the password, only the PIN. The card is locked if an incorrect PIN is entered three consecutive times. It may be unlocked only by the card issuer. SECURITY FEATURESExcept for user root, users on a trusted system cannot use su to change to an account that has been locked because of expired passwords or other access restrictions. EXTERNAL INFLUENCESEnvironment Variables
International Code Set SupportCharacters in the 7-bit US-ASCII code sets are supported in login names (see ascii(5)). EXAMPLESBecome user bin while retaining the previously exported environment: su bin Become user bin but change the environment to what would be expected if bin had originally logged in: su - bin Execute command and its arguments using the temporary environment and permissions of user bin: su - bin -c command arguments WARNINGSAfter a valid password is supplied, su uses information from /etc/passwd and /etc/logingroup to determine the user's group ID and group access list. If /etc/group is linked to /etc/logingroup, and group membership for the user trying to log in is managed by the Network Information Service (NIS), and no NIS server is able to respond, su waits until a server does respond. In normal operation, root is able to su to another user's account without being prompted for a password. However, DCE (Distributed Computing Environment) credentials for a user cannot be obtained without that user's password. Therefore, if DCE is being used as the authentication mechanism, and root wants to su to another user's account and get DCE credentials for that user, the -d flag must be specified. With this flag set, root will be prompted for the user's password and should supply that user's password at the prompt. For example: su -d DCEPrincipalName The -d flag cannot be used with -c flag. DEPENDENCIESPluggable Authentication Modules (PAM)PAM is an Open Group standard for user authentication, password modification, and account validation. In particular, pam_authenticate() is invoked to perform all functions related to su. This includes password retrieval, account validation, and error message displays. FILES
SEE ALSOenv(1), login(1), sh(1), initgroups(3C), syslog(3C), group(4), passwd(4), profile(4), environ(5). |
|