su(1M)su(1M)NAMEsu - become superuser or another user
SYNOPSISsu [ - ] [ name ] [ -M label ] [ -C capability set ] [ arg ... ]
DESCRIPTIONsu allows you to become another user without logging off. The default
user name is root (that is, superuser).
To use su, you must supply the appropriate password (except as described
below). If the password is correct, su executes a new shell with the
real and effective user ID set to that of the specified user. The new
shell is the program optionally named in the shell field of the specified
user's password file entry (see passwd(4)), or /bin/sh if none is
specified (see sh(1)). To restore normal user ID privileges, type an EOF
(<(Ctrl-d>) to the new shell.
su prompts for a password if the specified user's account has one.
However, su does not prompt you if your user name is root or your name is
listed in the specified user's .rhosts file as:
localhost your_name
(The hostname of localhost is shorthand for the machine's name.)
OPTIONS-C <capability set>
Execute the requested command with the specified capability set .
The requested user must be cleared to operate with the requested
capability set. If capabilities are not configured on your system,
this option is silently ignored.
-M <MAC label>
Execute the requested command at the specified label . The invoker
of su must be cleared to operate at the requested label. If that
label is different than the user's current label then stdin, stdout,
and stderr will be closed and the shell will be terminated. To
prevent shells from terminating, a new window shell must be created
at the new label. This is achieved by using the -c option (see
examples). If MAC is not configured on your system (see sysconf(1)),
this option is silently ignored.
Any additional arguments given on the command line are passed to the
program invoked as the shell. When using programs like sh(1), an arg of
the form -c string executes string via the shell and an arg of -r gives
the user a restricted shell.
su reads /etc/default/su to determine default behavior. To change the
defaults, the system administrator should edit this file. Recognized
values are:
Page 1
su(1M)su(1M)
SULOG=file # Use file as the su log file.
CONSOLE=device # Log successful attempts to su root to device.
SUPATH=path # Use path as the PATH for root.
PATH=path # Use path as the PATH for normal users.
SYSLOG=FAIL # Log to syslog all failures (SYSLOG=FAIL)
# or all successes and failures (SYSLOG=ALL).
The following statements are true only if the optional program named in
the shell field of the specified user's password file entry is like
sh(1). If the first argument to su is a -, the environment is changed to
what would be expected if the user actually logged in as the specified
user. This is done by invoking the program used as the shell with an
arg0 value whose first character is -, thus causing the system's profile
(/etc/profile) and then the specified user's profile (.profile in the new
HOME directory) to be executed.
Otherwise, the environment is passed along with the possible exception of
$PATH, which is set to
/usr/sbin:/usr/bsd:/sbin:/usr/bin:/bin:/etc:/usr/etc:/usr/bin/X11
for root. Additionally, environment variables of the form of those that
are special to rld(1) are not passed to the user's program; that is,
variable names beginning with either _RLD or LD_LIBRARY. Note that if
the optional program used as the shell is /bin/sh, the user's .profile
can check arg0 for -sh or -su to determine if it was invoked by login(1)
or su, respectively. If the user's program is other than /bin/sh, then
.profile is invoked with an arg0 of -program by both login and su.
All attempts to become another user using su are logged in the log file
/var/adm/sulog by default.
EXAMPLES
To become user bin while retaining your previously exported environment,
execute:
su bin
To become user bin but change the environment to what would be expected
if bin had originally logged in, execute:
su - bin
To execute command with the temporary environment and permissions of user
bin, type:
su - bin -c "command args"
Under Trusted Irix, to create a new window shell for user bin at a MAC
label of dblow, execute:
Page 2
su(1M)su(1M)su bin -M dblow -c xwsh &
FILES
/etc/passwd system's password file
/etc/profile system's initialization script for /bin/sh users
/etc/cshrc system's initialization script for /bin/csh users
$HOME/.profile /bin/sh user's initialization script
$HOME/.cshrc /bin/csh user's initialization script
$HOME/.rhosts user's list of trusted users
/var/adm/sulog log file
/etc/default/su defaults file
/etc/config/pam to determine whether PAM is enabled
SEE ALSOcapability(4), env(1), login(1), rld(1), sh(1), cshrc(4), passwd(4),
profile(4), rhosts(4), environ(5), pam(8).
DIAGNOSTICS
su: uid N: cannot attach to lnode - reason.
The lnode attachment failed, so the shell was not executed.
Page 3
