SU(8) Maintenance Commands and Procedures SU(8)

NAME


su - become superuser or another user

SYNOPSIS


su [-] [username [arg...]]


DESCRIPTION


The su command allows one to become another user without logging off
or to assume a role. The default user name is root (superuser).


To use su, the appropriate password must be supplied (unless the
invoker is already root). If the password is correct, su creates a
new shell process that has the real and effective user ID, group IDs,
and supplementary group list set to those of the specified username.
Additionally, the new shell's project ID is set to the default
project ID of the specified user. See getdefaultproj(3PROJECT),
setproject(3PROJECT). The new shell will be the shell specified in
the shell field of username's password file entry (see passwd(5)). If
no shell is specified, /usr/bin/sh is used (see sh(1)). If superuser
privilege is requested and the shell for the superuser cannot be
invoked using exec(2), /sbin/sh is used as a fallback. To return to
normal user ID privileges, type an EOF character (CTRL-D) to exit the
new shell.


Any additional arguments given on the command line are passed to the
new shell. When using programs such as sh, an arg of the form -c
string executes string using the shell and an arg of -r gives the
user a restricted shell.


To create a login environment, the command "su -" does the following:

o In addition to what is already propagated, the LC* and
LANG environment variables from the specified user's
environment are also propagated.

o Propagate TZ from the user's environment. If TZ is not
found in the user's environment, su uses the TZ value from
the TIMEZONE parameter found in /etc/default/login.

o Set MAIL to /var/mail/new_user.


If the first argument to su is a dash (-), the environment will be
changed to what would be expected if the user actually logged in as
the specified user. Otherwise, the environment is passed along, with
the exception of $PATH, which is controlled by PATH and SUPATH in
/etc/default/su.


All attempts to become another user using su are logged in the log
file /var/adm/sulog (see sulog(5)).

SECURITY


su uses pam(3PAM) with the service name su for authentication,
account management, and credential establishment.

EXAMPLES


Example 1: Becoming User bin While Retaining Your Previously Exported


Environment


To become user bin while retaining your previously exported
environment, execute:


example% su bin


Example 2: Becoming User bin and Changing to bin's Login Environment




To become user bin but change the environment to what would be
expected if bin had originally logged in, execute:


example% su - bin


Example 3: Executing command with user bin's Environment and


Permissions


To execute command with the temporary environment and permissions of
user bin, type:


example% su - bin -c "command args"


ENVIRONMENT VARIABLES


Variables with LD_ prefix are removed for security reasons. Thus, su
bin will not retain previously exported variables with LD_ prefix
while becoming user bin.


If any of the LC_* variables (LC_CTYPE, LC_MESSAGES, LC_TIME,
LC_COLLATE, LC_NUMERIC, and LC_MONETARY) (see environ(7)) are not set
in the environment, the operational behavior of su for each
corresponding locale category is determined by the value of the LANG
environment variable. If LC_ALL is set, its contents are used to
override both the LANG and the other LC_* variables. If none of the
above variables are set in the environment, the "C" (U.S. style)
locale determines how su behaves.

LC_CTYPE
Determines how su handles characters. When LC_CTYPE is
set to a valid value, su can display and handle text
and filenames containing valid characters for that
locale. su can display and handle Extended Unix Code
(EUC) characters where any individual character can be
1, 2, or 3 bytes wide. su can also handle EUC
characters of 1, 2, or more column widths. In the "C"
locale, only characters from ISO 8859-1 are valid.


LC_MESSAGES
Determines how diagnostic and informative messages are
presented. This includes the language and style of the
messages, and the correct form of affirmative and
negative responses. In the "C" locale, the messages
are presented in the default form found in the program
itself (in most cases, U.S. English).


FILES


$HOME/.profile
user's login commands for sh and ksh


/etc/passwd
system's password file


/etc/profile
system-wide sh and ksh login commands


/var/adm/sulog
log file


/etc/default/su
the default parameters in this file are:

SULOG
If defined, all attempts to su to
another user are logged in the
indicated file.


CONSOLE
If defined, all attempts to su to
root are logged on the console.


PATH
Default path. (/usr/bin:)


SUPATH
Default path for a user invoking su
to root. (/usr/sbin:/usr/bin)


SYSLOG
Determines whether the syslog(3C)
LOG_AUTH facility should be used to
log all su attempts. LOG_NOTICE
messages are generated for su's to
root, LOG_INFO messages are
generated for su's to other users,
and LOG_CRIT messages are generated
for failed su attempts.


/etc/default/login
the default parameters in this file are:

TIMEZONE
Sets the TZ environment variable of
the shell.


SEE ALSO


csh(1), env(1), ksh(1), login(1), roles(1), sh(1), exec(2),
syslog(3C), pam(3PAM), pam_acct_mgmt(3PAM), pam_authenticate(3PAM),
pam_setcred(3PAM), getdefaultproj(3PROJECT), setproject(3PROJECT),
pam.conf(5), passwd(5), profile(5), sulog(5), attributes(7),
environ(7), syslogd(8)

February 17, 2023 SU(8)
tribblix@gmail.com :: GitHub :: Privacy