su -- substitute user identity
su [-] [-flms] [-c class] [login [args]]
The su utility requests appropriate user credentials via PAM and switches
to that user ID (the default user is the superuser). A shell is then
PAM is used to set all policy.
By default, the environment is unmodified with the exception of USER,
HOME, and SHELL. HOME and SHELL are set to the target login's default
values. USER is set to the target login, unless the target login has a
user ID of 0, in which case it is unmodified. The invoked shell is the
one belonging to the target login. This is the traditional behavior of
su. Resource limits and session priority applicable to the original
user's login class (see login.conf(5)) are also normally retained unless
the target login has a user ID of 0.
The options are as follows:
-f If the invoked shell is csh(1), this option prevents it from
reading the ``.cshrc'' file.
-l Simulate a full login. The environment is discarded except for
HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified
as above. USER is set to the target login. PATH is set to
``/bin:/usr/bin''. TERM is imported from your current environment.
Environment variables may be set or overridden from the
login class capabilities database according to the class of the
target login. The invoked shell is the target login's, and su
will change directory to the target login's home directory.
Resource limits and session priority are modified to that for the
target account's login class.
- (no letter) The same as -l.
-m Leave the environment unmodified. The invoked shell is your
login shell, and no directory changes are made. As a security
precaution, if the target user's shell is a non-standard shell
(as defined by getusershell(3)) and the caller's real uid is nonzero,
su will fail.
-s Set the MAC label to the user's default label as part of the user
credential setup. Setting the MAC label may fail if the MAC
label of the invoking process is not sufficient to transition to
the user's default MAC label. If the label cannot be set, su
Use the settings of the specified login class. Only allowed for
The -l (or -) and -m options are mutually exclusive; the last one specified
overrides any previous ones.
If the optional args are provided on the command line, they are passed to
the login shell of the target login. Note that all command line arguments
before the target login name are processed by su itself, everything
after the target login name get passed to the login shell.
By default (unless the prompt is reset by a startup file) the super-user
prompt is set to ``#'' to remind one of its awesome power.
/etc/pam.conf su is configured with PAM support; it uses /etc/pam.conf
entries with service name ``su''
csh(1), sh(1), group(5), login.conf(5), passwd(5), environ(7), pam(8)
Environment variables used by su:
HOME Default home directory of real user ID unless modified as specified
PATH Default search path of real user ID unless modified as specified
TERM Provides terminal type which may be retained for the substituted
USER The user ID is always the effective ID (the target user ID) after
an su unless the user ID is 0 (root).
su man -c catman
Runs the command catman as user man. You will be asked for man's
password unless your real UID is 0.
su man -c 'catman /usr/share/man /usr/local/man /usr/X11R6/man'
Same as above, but the target command consists of more than a single
word and hence is quoted for use with the -c option being
passed to the shell. (Most shells expect the argument to -c to be
a single word).
su -c staff man -c 'catman /usr/share/man /usr/local/man /usr/X11R6/man'
Same as above, but the target command is run with the resource
limits of the login class ``staff''. Note: in this example, the
first -c option applies to su while the second is an argument to
the shell being invoked.
su -l foo
Simulate a login for user foo.
su - foo
Same as above.
Simulate a login for root.
A su command appeared in Version 1 AT&T UNIX.
FreeBSD 5.2.1 April 18, 1994 FreeBSD 5.2.1 [ Back ]