su - substitute user identity
su [-fKLlm] [-a auth-type] [-c login-class] [login [shell
arguments]]
su requests the Kerberos password for login (or for
``login.root'', if no
login is provided), and switches to that user and group ID
after obtaining
a Kerberos ticket granting access. A shell is then executed, and any
additional shell arguments after the login name are passed
to the shell.
su will resort to the local password file to find the password for login
if there is a Kerberos error or if Kerberos is not installed. If su is
executed by root, no password is requested and a shell with
the appropriate
user ID is executed; no additional Kerberos tickets are
obtained.
By default, the environment is unmodified with the exception
of LOGNAME,
HOME, SHELL, and USER. HOME and SHELL are set to the target
login's default
values. LOGNAME and USER are set to the target login,
unless the
target login has a user ID of 0 and the -l flag was not
specified, in
which case it is unmodified. The invoked shell is the target login's.
This is the traditional behavior of su.
If not using -m and the target login has a user ID of 0 then
the PATH
variable and umask value (see umask(2)) are always set according to the
/etc/login.conf file (see login.conf(5)).
The options are as follows:
- Same as the -l option (deprecated).
-a Specify an authentication type such as ``skey'',
``securid'', or
``krb5''.
-c Specify a login class. You may only override the
default class
if you're already root.
-f If the invoked shell is csh(1), this option prevents
it from
reading the ``.cshrc'' file.
-L Loop until a correct username and password combination is entered,
similar to login(1). Note that in this mode
target login
must be specified explicitly, either on the command
line or interactively.
Additionally, su will prompt for the
password even
when invoked by root.
-K Do not attempt to use Kerberos to authenticate the
user.
-l Simulate a full login. The environment is discarded
except for
HOME, SHELL, PATH, TERM, LOGNAME, and USER. HOME
and SHELL are
modified as above. LOGNAME and USER are set to the
target login.
PATH is set to the value specified by the ``path''
entry in
login.conf(5). TERM is imported from your current
environment.
The invoked shell is the target login's, and su will
change directory
to the target login's home directory.
-m Leave the environment unmodified. The invoked shell
is your login
shell, and no directory changes are made. As a
security precaution,
if the target user's shell is a non-standard shell (as
defined by getusershell(3)) and the caller's real
UID is non-zero,
su will fail.
The -l and -m options are mutually exclusive; the last one
specified
overrides any previous ones.
If the optional shell arguments are provided on the command
line, they
are passed to the login shell of the target login. This allows it to
pass arbitrary commands via the -c option as understood by
most shells.
Note that -c usually expects a single argument only; you
have to quote it
when passing multiple words.
If group 0 (normally ``wheel'') has users listed then only
those users
can su to ``root''. It is not sufficient to change a user's
/etc/passwd
entry to add them to the ``wheel'' group; they must explicitly be listed
in /etc/group. If no one is in the ``wheel'' group, it is
ignored, and
anyone who knows the root password is permitted to su to
``root''.
By default (unless the prompt is reset by a startup file)
the superuser
prompt is set to ``#'' to remind one of its awesome power.
HOME Default home directory of real user ID unless modified as specified
above.
LOGNAME The user ID is always the effective ID (the target
user ID) after
an su unless the user ID is 0 (root).
PATH Default search path of real user ID unless modified
as specified
above.
TERM Provides terminal type which may be retained for
the substituted
user ID.
USER Same as LOGNAME.
$ su bin -c makewhatis
Runs the command makewhatis as user bin. You will be
asked for
bin's password unless your real UID is 0.
$ su bin -c 'makewhatis /usr/local/man'
Same as above, but the target command consists of
more than a single
word.
$ su -l foo
Pretend a login for user foo.
$ su -a skey -l foo
Same as above, but use S/Key for authentication.
csh(1), kinit(1), login(1), sh(1), skey(1), setusercontext(3), group(5),
login.conf(5), passwd(5), environ(7), sudo(8)
A su command appeared in Version 7 AT&T UNIX.
There is no direct way to force a particular shell to be
used.
The login name is not optional for root if there are shell
arguments.
OpenBSD 3.6 July 29, 1991
[ Back ] |
