su(1)su(1)NAMEsu - switch user
SYNOPSIS
[username [arguments]]
[username]
DESCRIPTION
The (set user or superuser) command allows one user to become another
user without logging out.
username is the name of a user defined in the file (see passwd(4)).
The default name is (that is, superuser).
To use the appropriate password must be supplied unless the current
user is superuser and is not using the option. If a valid password is
entered, executes a new shell with the real and effective user ID, real
and effective group ID, and group access list set to that of the speci‐
fied user. The new shell is the one specified in the shell field of
the new user's entry in the password file,
The arguments are passed along to the new shell for execution, permit‐
ting the user to run shell procedures with the new user's privileges.
When exiting from the new shell, the previous username and environment
are restored.
All attempts to become another user are logged in including failures.
Successful attempts are flagged with failures, with They are also
logged with (see syslog(3C)).
Options
recognizes the following options:
If the option is specified, the new shell starts up as if the
new user had initiated a new login session. If the
option is omitted, the new shell starts as if a sub‐
shell was invoked. See more details below.
If DCE (Distributed Computing Environment) is being used as
the authentication mechanism, the option must be spec‐
ified. With this option, even superuser will be
prompted for the user's password. The reason for this
is because DCE credentials for a user cannot be
obtained without that user's password.
This option cannot be used with shell arguments.
If the option is specified, the new shell starts up as if the new user
had initiated a new login session. Exceptions are as follows:
· The variable is reset to the new user's home directory.
· If the new user name is the path and prompt variables are reset:
For other user names:
· The variable is retained.
· The rest of the environment is deleted and reset to the login
state. However, the login files are normally executed anyway,
usually restoring the expected value of and other variables.
If the option is omitted, the new shell starts as if a subshell was
invoked. Exceptions are as follows:
· If the new user name is the path and prompt variables are reset:
· The previously defined and environment variables are removed.
· The rest of the environment is retained.
If the shell specified in is sets the value of parameter in the new
shell (referenced as to If the option of the command is specified,
sets parameter to
If the shell specified in is not sets the value of parameter in the
new shell to shellname. If the option of the command is specified,
sets parameter to For example, if the Korn shell is invoked, the
value of shellname will be either or
By comparison, the command always sets parameter to
HP-UX Smart Card Login
If the user account is configured to use a Smart Card, the user pass‐
word is stored in the card. This password has characteristics identi‐
cal to a normal password stored on the system.
In order to using a Smart Card account, the Smart Card from the desti‐
nation user account must be inserted into the Smart Card reader. The
user is prompted for a PIN instead of a password during authentication.
The password is retrieved automatically from the Smart Card when a
valid PIN is entered. Therefore, it is not necessary to know the pass‐
word, only the PIN.
The card is locked if an incorrect PIN is entered three consecutive
times. It may be unlocked only by the card issuer.
SECURITY FEATURES
Except for user users cannot use to change to an account that has been
locked because of expired passwords or other access restrictions.
Refer to the file in the security(4) manual page for detailed informa‐
tion on configurable attributes that affect the behavior of this com‐
mand. Currently, the supported attributes for the command are:
EXTERNAL INFLUENCES
Environment Variables
User's home directory
The language in which messages are displayed.
If is not specified or is null, it defaults to (see
lang(5)). If any internationalization variable contains
an invalid setting, all internationalization variables
default to (see environ(5)).
User's login name
Command name search path
Default prompt
Name of the user's shell
International Code Set Support
Characters in the 7-bit US-ASCII code sets are supported in login names
(see ascii(5)).
EXAMPLES
Become user while retaining the previously exported environment:
Become user but change the environment to what would be expected if had
originally logged in:
Execute the command, using the temporary environment and permissions of
user In this example, user bin's shell is invoked with the arguments
Become user in the DCE environment:
WARNINGS
After a valid password is supplied, uses information from and to deter‐
mine the user's group ID and group access list. If is linked to and
group membership for the user trying to log in is managed by the Net‐
work Information Service (NIS), and no NIS server is able to respond,
waits until a server does respond.
DEPENDENCIES
Pluggable Authentication Modules (PAM)
PAM is an Open Group standard for user authentication, password modifi‐
cation, and account validation. In particular, is invoked to perform
all functions related to This includes password retrieval, account val‐
idation, and error message displays.
FILES
User's profile
System's default group access list file
System's password file
System's profile
Log of all attempts
Security defaults configuration file
SEE ALSOenv(1), login(1), sh(1), initgroups(3C), syslog(3C), group(4),
passwd(4), profile(4), security(4), environ(5).
Pluggable Authentication Modules (PAM)
pam_acct_mgmt(3), pam_authenticate(3).
HP-UX Smart Card Login
scpin(1).
STANDARDS CONFORMANCEsu(1)