su(1) su(1)
NAME [Toc] [Back]
su - switch user
SYNOPSIS [Toc] [Back]
su [-] [username [arguments]]
su [-] -d [username]
DESCRIPTION [Toc] [Back]
The su (set user or superuser) command allows one user to become
another user without logging out.
username is the name of a user defined in the /etc/passwd file (see
passwd(4)). The default name is root (that is, superuser).
To use su, the appropriate password must be supplied unless the
current user is superuser and is not using the -d option. If a valid
password is entered, su executes a new shell with the real and
effective user ID, real and effective group ID, and group access list
set to that of the specified user. The new shell is the one specified
in the shell field of the new user's entry in the password file,
/etc/passwd.
The arguments are passed along to the new shell for execution,
permitting the user to run shell procedures with the new user's
privileges.
When exiting from the new shell, the previous username and environment
are restored.
All attempts to become another user are logged in /var/adm/sulog,
including failures. Successful attempts are flagged with +; failures,
with -. They are also logged with syslog() (see syslog(3C)).
Options [Toc] [Back]
su recognizes the following options:
- If the - option is specified, the new shell starts up
as if the new user had initiated a new login session.
If the - option is omitted, the new shell starts as if
a subshell was invoked. See more details below.
-d If DCE (Distributed Computing Environment) is being
used as the authentication mechanism, the -d option
must be specified. With this option, even superuser
will be prompted for the user's password. The reason
for this is because DCE credentials for a user cannot
be obtained without that user's password.
This option cannot be used with shell arguments.
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
su(1) su(1)
If the - option is specified, the new shell starts up as if the new
user had initiated a new login session. Exceptions are as follows:
+ The HOME variable is reset to the new user's home directory.
+ If the new user name is root, the path and prompt variables are
reset:
PATH=/usr/bin:/usr/sbin:/sbin
PS1=#
For other user names:
PATH=/usr/bin
PS1=$
+ The TERM variable is retained.
+ The rest of the environment is deleted and reset to the login
state. However, the login files are normally executed anyway,
usually restoring the expected value of PATH and other variables.
If the - option is omitted, the new shell starts as if a subshell was
invoked. Exceptions are as follows:
+ If the new user name is root, the path and prompt variables are
reset:
PATH=/usr/bin:/usr/sbin:/sbin
PS1=#
+ The previously defined HOME and ENV environment variables are
removed.
+ The rest of the environment is retained.
If the shell specified in /etc/passwd is /usr/bin/sh, su sets the
value of parameter 0 in the new shell (referenced as $0) to su. If
the - option of the su command is specified, su sets parameter 0 to
-su.
If the shell specified in /etc/passwd is not /usr/bin/sh, su sets
the value of parameter 0 in the new shell to shellname. If the -
option of the su command is specified, su sets parameter 0 to
-shellname. For example, if the Korn shell is invoked, the value of
shellname will be either ksh or -ksh.
By comparison, the login command always sets parameter 0 to
-shellname.
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003
su(1) su(1)
HP-UX Smart Card Login [Toc] [Back]
If the user account is configured to use a Smart Card, the user
password is stored in the card. This password has characteristics
identical to a normal password stored on the system.
In order to su using a Smart Card account, the Smart Card from the
destination user account must be inserted into the Smart Card reader.
The user is prompted for a PIN instead of a password during
authentication.
Enter PIN:
The password is retrieved automatically from the Smart Card when a
valid PIN is entered. Therefore, it is not necessary to know the
password, only the PIN.
The card is locked if an incorrect PIN is entered three consecutive
times. It may be unlocked only by the card issuer.
SECURITY FEATURES [Toc] [Back]
Except for user root, users cannot use su to change to an account that
has been locked because of expired passwords or other access
restrictions.
Refer to the /etc/default/security file in the security(4) manual page
for detailed information on configurable parameters that affect the
behavior of this command. Currently, the supported parameters for the
su command are:
SU_ROOT_GROUP [Toc] [Back]
SU_DEFAULT_PATH [Toc] [Back]
SU_KEEP_ENV_VARS [Toc] [Back]
EXTERNAL INFLUENCES [Toc] [Back]
Environment Variables
HOME User's home directory
LANG The language in which messages are displayed. If LANG
is not specified or is null, it defaults to C (see
lang(5)). If any internationalization variable
contains an invalid setting, all internationalization
variables default to C (see environ(5)).
LOGNAME User's login name
PATH Command name search path
PS1 Default prompt
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003
su(1) su(1)
SHELL Name of the user's shell
International Code Set Support [Toc] [Back]
Characters in the 7-bit US-ASCII code sets are supported in login
names (see ascii(5)).
EXAMPLES [Toc] [Back]
Become user bin while retaining the previously exported environment:
su bin
Become user bin but change the environment to what would be expected
if bin had originally logged in:
su - bin
Execute the command, 'echo hello', using the temporary environment and
permissions of user bin. In this example, user bin's shell is invoked
with the arguments -c 'echo hello'.
su bin -c 'echo hello'
Become user DCEPrincipal in the DCE environment:
su -d DCEPrincipal
WARNINGS [Toc] [Back]
After a valid password is supplied, su uses information from
/etc/passwd and /etc/logingroup to determine the user's group ID and
group access list. If /etc/group is linked to /etc/logingroup, and
group membership for the user trying to log in is managed by the
Network Information Service (NIS), and no NIS server is able to
respond, su waits until a server does respond.
DEPENDENCIES [Toc] [Back]
Pluggable Authentication Modules (PAM)
PAM is an Open Group standard for user authentication, password
modification, and account validation. In particular,
pam_authenticate() is invoked to perform all functions related to su.
This includes password retrieval, account validation, and error
message displays.
FILES [Toc] [Back]
$HOME/.profile User's profile
/etc/logingroup System's default group access list file
/etc/passwd System's password file
/etc/profile System's profile
/var/adm/sulog Log of all attempts
/etc/default/security Security defaults configuration file
Hewlett-Packard Company - 4 - HP-UX 11i Version 2: August 2003
su(1) su(1)
SEE ALSO [Toc] [Back]
env(1), login(1), sh(1), initgroups(3C), syslog(3C), group(4),
passwd(4), profile(4), security(4), environ(5).
Pluggable Authentication Modules (PAM) [Toc] [Back]
pam_acct_mgmt(3), pam_authenticate(3).
HP-UX Smart Card Login [Toc] [Back]
scpin(1).
STANDARDS CONFORMANCE [Toc] [Back]
su: SVID2, SVID3, XPG2
Hewlett-Packard Company - 5 - HP-UX 11i Version 2: August 2003 [ Back ] |
