su(1M)
NAME
su - become superuser or another user
SYNOPSIS
su [-] [ username [ arg...]]
DESCRIPTION
The su command allows one to become another user without
logging off or to assume a role. The default user name is
root (superuser).
To use su, the appropriate password must be supplied (unless
the invoker is already root). If the password is correct, su
creates a new shell process that has the real and effective
user ID, group IDs, and supplementary group list set to
those of the specified username. Additionally, the new
shell's project ID is set to the default project ID of the
specified user. See getdefaultproj(3PROJECT),
setproject(3PROJECT). The new shell will be the shell speci-
fied in the shell field of username's password file entry
(see passwd(4)). If no shell is specified, /usr/bin/sh is
used (see sh(1)). If superuser privilege is requested and
the shell for the superuser cannot be invoked using exec(2),
/sbin/sh is used as a fallback. To return to normal user ID
privileges, type an EOF character (<CTRL-D>) to exit the new
shell.
Any additional arguments given on the command line are
passed to the new shell. When using programs such as sh, an
arg of the form -c string executes string using the shell
and an arg of -r gives the user a restricted shell.
The following statements are true if the login shell is
/usr/bin/sh or an empty string (which defaults to
/usr/bin/sh) in the specific user's password file entry. If
the first argument to su is a dash (-), the environment will
be changed to what would be expected if the user actually
logged in as the specified user. Otherwise, the environment
is passed along, with the exception of $PATH, which is con-
trolled by PATH and SUPATH in /etc/default/su.
All attempts to become another user using su are logged in
the log file /var/adm/sulog (see sulog(4)).
SECURITY
su uses pam(3PAM) with the service name su for authentica-
tion, account management, and credential establishment.
EXAMPLES
Example 1: Becoming User bin While Retaining Your Previously
Exported Environment
To become user bin while retaining your previously exported
environment, execute:
example% su bin
Example 2: Becoming User bin and Changing to bin's Login
Environment
To become user bin but change the environment to what would
be expected if bin had originally logged in, execute:
example% su - bin
Example 3: Executing command with user bin's Environment and
Permissions
To execute command with the temporary environment and per-
missions of user bin, type:
example% su - bin -c "command args"
ENVIRONMENT VARIABLES
Variables with LD_ prefix are removed for security reasons.
Thus, su bin will not retain previously exported variables
with LD_ prefix while becoming user bin.
If any of the LC_* variables ( LC_CTYPE, LC_MESSAGES,
LC_TIME, LC_COLLATE, LC_NUMERIC, and LC_MONETARY) (see
environ(5)) are not set in the environment, the operational
behavior of su for each corresponding locale category is
determined by the value of the LANG environment variable. If
LC_ALL is set, its contents are used to override both the
LANG and the other LC_* variables. If none of the above
variables are set in the environment, the "C" (U.S. style)
locale determines how su behaves.
LC_CTYPE
Determines how su handles characters. When LC_CTYPE is
set to a valid value, su can display and handle text
and filenames containing valid characters for that
locale. su can display and handle Extended Unix Code
(EUC) characters where any individual character can be
1, 2, or 3 bytes wide. su can also handle EUC charac-
ters of 1, 2, or more column widths. In the "C"
locale, only characters from ISO 8859-1 are valid.
LC_MESSAGES
Determines how diagnostic and informative messages are
presented. This includes the language and style of the
messages, and the correct form of affirmative and
negative responses. In the "C" locale, the messages
are presented in the default form found in the program
itself (in most cases, U.S. English).
FILES
$HOME/.profile
user's login commands for sh and ksh
/etc/passwd
system's password file
/etc/profile
system-wide sh and ksh login commands
/var/adm/sulog
log file
/etc/default/su
the default parameters in this file are:
SULOG If defined, all attempts to su to another user
are logged in the indicated file.
CONSOLE
If defined, all attempts to su to root are
logged on the console.
PATH Default path. (/usr/bin:)
SUPATH
Default path for a user invoking su to root.
(/usr/sbin:/usr/bin)
SYSLOG
Determines whether the syslog(3C) LOG_AUTH
facility should be used to log all su attempts.
LOG_NOTICE messages are generated for su's to
root, LOG_INFO messages are generated for su's
to other users, and LOG_CRIT messages are gen-
erated for failed su attempts.
SLEEPTIME
If present, sets the number of seconds to wait
before login failure is printed to the screen
and another login attempt is allowed. Default is
4 seconds. Minimum is 0 seconds. Maximum is 5
seconds.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
SEE ALSO
csh(1), env(1), ksh(1), login(1), roles(1), sh(1),
syslogd(1M), exec(2), getdefaultproj(3PROJECT),
setproject(3PROJECT), pam(3PAM), syslog(3C), pam.conf(4),
passwd(4), profile(4), sulog(4), attributes(5), environ(5),
pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix(5), pam_unix_account(5), pam_unix_auth(5),
pam_unix_session(5)
NOTES
The pam_unix(5) module might not be supported in a future
release. Similar functionality is provided by
pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix_account(5), pam_unix_auth(5), and
pam_unix_session(5).
Man(1) output converted with
man2html