su(1)

DESCRIPTION

The su (set user or superuser) command allows one user to become another user without logging out.

username is the name of a user defined in the /etc/passwd file (see passwd(4)). The default name is root (that is, superuser).

To use su, the appropriate password must be supplied unless the current user is superuser. If a valid password is entered, su executes a new shell with the real and effective user ID, real and effective group ID, and group access list set to that of the specified user. The new shell is the one specified in the shell field of the new user's entry in the password file, /etc/passwd.

The arguments are passed along to the new shell for execution, permitting the user to run shell procedures with the new user's privileges.

When exiting from the new shell, the previous username and environment are restored.

If the - option is specified, the new shell starts up as if the new user had initiated a new login session. Exceptions are as follows:

If the - option is omitted, the new shell starts as if a subshell was invoked. Exceptions are as follows:

If the shell specified in /etc/passwd is /usr/bin/sh, su sets the value of parameter 0 in the new shell (referenced as $0) to su. If the - option of the su command is specified, su sets parameter 0 to -su.

If the shell specified in /etc/passwd is not /usr/bin/sh, su sets the value of parameter 0 in the new shell to shellname. If the - option of the su command is specified, su sets parameter 0 to -shellname. For example, if the Korn shell is invoked, the value of shellname will be either ksh or -ksh.

By comparison, the login command always sets parameter 0 to -shellname.

All attempts to become another user are logged in /var/adm/sulog, including failures. Successful attempts are flagged with +; failures, with -. They are also logged with syslog() (see syslog(3C)).

SECURITY FEATURES

Except for user root, users on a trusted system cannot use su to change to an account that has been locked because of expired passwords or other access restrictions.

EXTERNAL INFLUENCES

EXAMPLES

Become user bin while retaining the previously exported environment:

Become user bin but change the environment to what would be expected if bin had originally logged in:

Execute command and its arguments using the temporary environment and permissions of user bin:

WARNINGS

After a valid password is supplied, su uses information from /etc/passwd and /etc/logingroup to determine the user's group ID and group access list. If /etc/group is linked to /etc/logingroup, and group membership for the user trying to log in is managed by the Network Information Service (NIS), and no NIS server is able to respond, su waits until a server does respond.

In normal operation, root is able to su to another user's account without being prompted for a password. However, DCE (Distributed Computing Environment) credentials for a user cannot be obtained without that user's password. Therefore, if DCE is being used as the authentication mechanism, and root wants to su to another user's account and get DCE credentials for that user, the -d flag must be specified. With this flag set, root will be prompted for the user's password and should supply that user's password at the prompt. For example:

The -d flag cannot be used with -c flag.

DEPENDENCIES

FILES

SEE ALSO

env(1), login(1), sh(1), initgroups(3C), syslog(3C), group(4), passwd(4), profile(4), environ(5).

STANDARDS CONFORMANCE

su: SVID2, SVID3, XPG2