If a user has su authorization they can su to any account, providing they know the password for that account. If the user does not have su authorization, they can su only to their own account or to another account that they own, or to an account that has the same owner as the current account.
To use su, the appropriate password must be supplied (unless you are already the super user). If the password is correct, su will execute a new shell with the user ID, group ID, and supplemental group list set to those of the specified user. The new shell also has the kernel and subsystem authorizations of the specified user, although the LUID is not changed. (su only sets the LUID if it has not already been set. For example, the init(M) process does not have an LUID; when the system goes to multiuser mode, scripts invoked by init use su to set the LUID for those commands that require it.) The new shell is defined by the program field in /etc/passwd; /bin/sh is run by default if no program is specified. (This may not be true for Network Information Service (NIS) since program could be specified on the NIS server.)
To restore normal user ID privileges, press EOF <Ctrl>d to exit the new shell. You must specify a username with the -c option; for example, su -c scoadmin root. When you exit the system administration shell, you will no longer be root.
The following statements are true only if the optional program named in the shell field of the specified user's password file entry is like sh. If the first argument to su is a ``-'', the environment is changed to what would be expected if the user actually logged in as the specified user. This is done by invoking the program used as the shell with an arg0 value whose first character is ``-'', thus causing first the system's profile (/etc/profile) and then the specified user's profile (.profile in the new $HOME directory) to be executed. Otherwise, the environment is passed along with the possible exception of $PATH, which is set to /bin:/etc:/usr/bin for root. The ``-'' option should never be used in /etc/rc scripts.
Note that if the optional program used as the shell is /bin/sh, the user's .profile can check arg0 for -sh or -su to determine if it was invoked by login(M) or su, respectively. If the user's program is other than /bin/sh, then .profile is invoked with an arg0 of -program by both login and su.
The file /etc/default/su can be used to control several aspects of how su is used. Several entries can be placed in /etc/default/su:
SULOG=/usr/adm/sulogThis causes all attempts by any user to switch user IDs to be recorded in the file /usr/adm/sulog. This filename is arbitrary. The su logfile records the original user, the UID of the su attempt, and the time of the attempt. If the attempt is successful, a plus sign (+) is placed on the line describing the attempt. A minus sign (-) indicates an unsuccessful attempt.
To become user bin but change the environment to what
would be expected if bin had originally logged in, enter:
su - bin
To execute command with the temporary environment and
permissions of user bin, enter:
su - -c command bin args
AT&T SVID Issue 2.