su(C)


su -- make the user a super user or another user

Syntax

su [ - ] [ -c command ] [ name [ arg ... ] ]

Description

The su command allows authorized users to change their user id to that of another user without logging off. The default user name is root (that is, super user).

If a user has su authorization they can su to any account, providing they know the password for that account. If the user does not have su authorization, they can su only to their own account or to another account that they own, or to an account that has the same owner as the current account.

To use su, the appropriate password must be supplied (unless you are already the super user). If the password is correct, su will execute a new shell with the user ID, group ID, and supplemental group list set to those of the specified user. The new shell also has the kernel and subsystem authorizations of the specified user, although the LUID is not changed. (su only sets the LUID if it has not already been set. For example, the init(M) process does not have an LUID; when the system goes to multiuser mode, scripts invoked by init use su to set the LUID for those commands that require it.) The new shell is defined by the program field in /etc/passwd; /bin/sh is run by default if no program is specified. (This may not be true for Network Information Service (NIS) since program could be specified on the NIS server.)

To restore normal user ID privileges, press EOF <Ctrl>d to exit the new shell. You must specify a username with the -c option; for example, su -c scoadmin root. When you exit the system administration shell, you will no longer be root.

The following statements are true only if the optional program named in the shell field of the specified user's password file entry is like sh. If the first argument to su is a ``-'', the environment is changed to what would be expected if the user actually logged in as the specified user. This is done by invoking the program used as the shell with an arg0 value whose first character is ``-'', thus causing first the system's profile (/etc/profile) and then the specified user's profile (.profile in the new $HOME directory) to be executed. Otherwise, the environment is passed along with the possible exception of $PATH, which is set to /bin:/etc:/usr/bin for root. The ``-'' option should never be used in /etc/rc scripts.

Note that if the optional program used as the shell is /bin/sh, the user's .profile can check arg0 for -sh or -su to determine if it was invoked by login(M) or su, respectively. If the user's program is other than /bin/sh, then .profile is invoked with an arg0 of -program by both login and su.

The file /etc/default/su can be used to control several aspects of how su is used. Several entries can be placed in /etc/default/su:


SULOG
Name of log file to record all attempts to use su. Usually /usr/adm/sulog. If this is not set, no logfile is kept. (See below.)

PATH
The PATH environment variable to set for non-root users. If not set, it defaults to :/bin:/usr/bin. The current PATH environment variable is ignored.

SUPATH
The PATH environment variable to set for root. If not set, it defaults to /bin:/etc:/usr/bin. The current PATH is ignored.

CONSOLE
Attempts to use su to change to the root account are logged to the named device, independently of SULOG.
For example, if you want to log all attempts by users to become root, edit the file /etc/default/su. In this file, place a string similar to:
   SULOG=/usr/adm/sulog
This causes all attempts by any user to switch user IDs to be recorded in the file /usr/adm/sulog. This filename is arbitrary. The su logfile records the original user, the UID of the su attempt, and the time of the attempt. If the attempt is successful, a plus sign (+) is placed on the line describing the attempt. A minus sign (-) indicates an unsuccessful attempt.

Examples

To become user bin while retaining your previously exported environment, enter:

su bin

To become user bin but change the environment to what would be expected if bin had originally logged in, enter:

su - bin

To execute command with the temporary environment and permissions of user bin, enter:

su - -c command bin args

Note

If you run su to change to a different user account, and that different user account does not have permission to access the current directory, you will be unable to use commands such as pwd and ls.

Authorization

The behavior of this command depends on the auth or su authorization in authorize(F). Refer to subsystem(M) for details.

Files


/etc/passwd
the system password file

/etc/default/su
file containing control options

/etc/profile
the system profile

$HOME/.profile
the user profile

See also

auths(C), env(C), environ(M), login(M), passwd(F), profile(M), sg(C), sh(C)

Standards conformance

su is conformant with:

AT&T SVID Issue 2.


© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005