System Administration Commands su(1M)
NAME
su - become superuser or another user
SYNOPSIS
su [-] [username [arg...]
DESCRIPTION
The su command allows one to become another user without
logging off or to assume a role. The default user name is
root (superuser).
To use su, the appropriate password must be supplied (unless
the invoker is already root). If the password is correct, su
creates a new shell process that has the real and effective
user ID, group IDs, and supplementary group list set to
those of the specified username. Additionally, the new
shell's project ID is set to the default project ID of the
specified user. See getdefaultproj(3PROJECT),
setproject(3PROJECT). The new shell will be the shell speci-
fied in the shell field of username's password file entry
(see passwd(4)). If no shell is specified, /usr/bin/sh is
used (see sh(1)). If superuser privilege is requested and
the shell for the superuser cannot be invoked using exec(2),
/sbin/sh is used as a fallback. To return to normal user ID
privileges, type an EOF character (CTRL-D) to exit the new
shell.
Any additional arguments given on the command line are
passed to the new shell. When using programs such as sh, an
arg of the form -c string executes string using the shell
and an arg of -r gives the user a restricted shell.
To create a login environment, the command "su -" does the
following:
o In addition to what is already propagated, the LC*
and LANG environment variables from the specified
user's environment are also propagated.
o Propagate TZ from the user's environment. If TZ is
not found in the user's environment, su uses the TZ
value from the TIMEZONE parameter found in
/etc/default/login.
o Set MAIL to /var/mail/newuser.
SunOS 5.11 Last change: 26 Feb 2004 1
System Administration Commands su(1M)
If the first argument to su is a dash (-), the environment
will be changed to what would be expected if the user actu-
ally logged in as the specified user. Otherwise, the
environment is passed along, with the exception of $PATH,
which is controlled by PATH and SUPATH in /etc/default/su.
All attempts to become another user using su are logged in
the log file /var/adm/sulog (see sulog(4)).
SECURITY
su uses pam(3PAM) with the service name su for authentica-
tion, account management, and credential establishment.
EXAMPLES
Example 1 Becoming User bin While Retaining Your Previously
Exported Environment
To become user bin while retaining your previously exported
environment, execute:
example% su bin
Example 2 Becoming User bin and Changing to bin's Login
Environment
To become user bin but change the environment to what would
be expected if bin had originally logged in, execute:
example% su - bin
Example 3 Executing command with user bin's Environment and
Permissions
To execute command with the temporary environment and per-
missions of user bin, type:
example% su - bin -c "command args"
SunOS 5.11 Last change: 26 Feb 2004 2
System Administration Commands su(1M)
ENVIRONMENT VARIABLES
Variables with LD prefix are removed for security reasons.
Thus, su bin will not retain previously exported variables
with LD prefix while becoming user bin.
If any of the LC* variables ( LCTYPE, LCMESAGES,
LCTIME, LCOLATE, LCNUMERIC, and LCMONETARY) (see
environ(5)) are not set in the environment, the operational
behavior of su for each corresponding locale category is
determined by the value of the LANG environment variable. If
LCAL is set, its contents are used to override both the
LANG and the other LC* variables. If none of the above
variables are set in the environment, the "C" (U.S. style)
locale determines how su behaves.
LCTYPE Determines how su handles characters. When
LCTYPE is set to a valid value, su can
display and handle text and filenames con-
taining valid characters for that locale. su
can display and handle Extended Unix Code
(EUC) characters where any individual charac-
ter can be 1, 2, or 3 bytes wide. su can also
handle EUC characters of 1, 2, or more column
widths. In the "C" locale, only characters
from ISO 8859-1 are valid.
LCMESAGES Determines how diagnostic and informative
messages are presented. This includes the
language and style of the messages, and the
correct form of affirmative and negative
responses. In the "C" locale, the messages
are presented in the default form found in
the program itself (in most cases, U.S.
English).
FILES
$HOME/.profile user's login commands for sh and ksh
/etc/passwd system's password file
/etc/profile system-wide sh and ksh login commands
/var/adm/sulog log file
SunOS 5.11 Last change: 26 Feb 2004 3
System Administration Commands su(1M)
/etc/default/su the default parameters in this file
are:
SULOG If defined, all attempts to
su to another user are
logged in the indicated
file.
CONSOLE If defined, all attempts to
su to root are logged on
the console.
PATH Default path. (/usr/bin:)
SUPATH Default path for a user
invoking su to root.
(/usr/sbin:/usr/bin)
SYSLOG Determines whether the
syslog(3C) LOGAUTH facil-
ity should be used to log
all su attempts. LOGNOTICE
messages are generated for
su's to root, LOGINFO mes-
sages are generated for
su's to other users, and
LOGCRIT messages are gen-
erated for failed su
attempts.
/etc/default/login the default parameters in this file
are:
TIMEZONE Sets the TZ environment
variable of the shell.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 26 Feb 2004 4
System Administration Commands su(1M)
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsu
SEE ALSO
csh(1), env(1), ksh(1), login(1), roles(1), sh(1),
syslogd(1M), exec(2), getdefaultproj(3PROJECT),
setproject(3PROJECT), pam(3PAM), pamauthenticate(3PAM),
pamacctmgmt(3PAM), pamsetcred(3PAM), pam.conf(4),
passwd(4), profile(4), sulog(4), syslog(3C), attributes(5),
environ(5)
SunOS 5.11 Last change: 26 Feb 2004 5
|
