*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> su (1)              



NAME    [Toc]    [Back]

     su - substitute user identity

SYNOPSIS    [Toc]    [Back]

     su [-fKLlm] [-a auth-type] [-c  login-class]  [login  [shell

DESCRIPTION    [Toc]    [Back]

     su   requests  the  Kerberos  password  for  login  (or  for
``login.root'', if no
     login is provided), and switches to that user and  group  ID
after obtaining
 a Kerberos ticket granting access.  A shell is then executed, and any
     additional shell arguments after the login name  are  passed
to the shell.
     su  will resort to the local password file to find the password for login
     if there is a Kerberos error  or  if  Kerberos  is  not  installed.  If su is
     executed  by root, no password is requested and a shell with
the appropriate
 user ID is executed; no additional Kerberos tickets  are

     By default, the environment is unmodified with the exception
     HOME, SHELL, and USER.  HOME and SHELL are set to the target
login's default
 values.  LOGNAME and USER are set to the target login,
unless the
     target login has a user ID of 0 and  the  -l  flag  was  not
specified, in
     which  case it is unmodified.  The invoked shell is the target login's.
     This is the traditional behavior of su.

     If not using -m and the target login has a user ID of 0 then
the PATH
     variable  and  umask value (see umask(2)) are always set according to the
     /etc/login.conf file (see login.conf(5)).

     The options are as follows:

     -       Same as the -l option (deprecated).

     -a      Specify an authentication  type  such  as  ``skey'',
``securid'', or

     -c       Specify  a  login class.  You may only override the
default class
             if you're already root.

     -f      If the invoked shell is csh(1), this option prevents
it from
             reading the ``.cshrc'' file.

     -L       Loop until a correct username and password combination is entered,
 similar to login(1).  Note that in this  mode
target login
             must  be specified explicitly, either on the command
line or interactively.
  Additionally, su will prompt  for  the
password even
             when invoked by root.

     -K       Do  not attempt to use Kerberos to authenticate the

     -l      Simulate a full login.  The environment is discarded
except for
             HOME,  SHELL,  PATH,  TERM, LOGNAME, and USER.  HOME
and SHELL are
             modified as above.  LOGNAME and USER are set to  the
target login.
             PATH  is  set to the value specified by the ``path''
entry in
             login.conf(5).  TERM is imported from  your  current
             The invoked shell is the target login's, and su will
change directory
 to the target login's home directory.

     -m      Leave the environment unmodified.  The invoked shell
is your login
  shell, and no directory changes are made.  As a
security precaution,
 if the target user's shell is  a  non-standard shell (as
             defined  by  getusershell(3))  and the caller's real
UID is non-zero,
 su will fail.

     The -l and -m options are mutually exclusive; the  last  one
     overrides any previous ones.

     If  the optional shell arguments are provided on the command
line, they
     are passed to the login shell of the target login.  This allows it to
     pass  arbitrary  commands via the -c option as understood by
most shells.
     Note that -c usually expects a  single  argument  only;  you
have to quote it
     when passing multiple words.

     If  group  0 (normally ``wheel'') has users listed then only
those users
     can su to ``root''.  It is not sufficient to change a user's
     entry  to add them to the ``wheel'' group; they must explicitly be listed
     in /etc/group.  If no one is in the ``wheel'' group,  it  is
ignored, and
     anyone  who  knows  the  root password is permitted to su to

     By default (unless the prompt is reset by  a  startup  file)
the superuser
     prompt is set to ``#'' to remind one of its awesome power.

ENVIRONMENT    [Toc]    [Back]

     HOME     Default home directory of real user ID unless modified as specified

     LOGNAME  The user ID is always the effective ID (the  target
user ID) after
 an su unless the user ID is 0 (root).

     PATH     Default search path of real user ID unless modified
as specified

     TERM     Provides terminal type which may  be  retained  for
the substituted
              user ID.

     USER     Same as LOGNAME.

EXAMPLES    [Toc]    [Back]

     $ su bin -c makewhatis
            Runs the command makewhatis as user bin.  You will be
asked for
            bin's password unless your real UID is 0.

     $ su bin -c 'makewhatis /usr/local/man'
            Same as above, but the  target  command  consists  of
more than a single

     $ su -l foo
            Pretend a login for user foo.

     $ su -a skey -l foo
            Same as above, but use S/Key for authentication.

SEE ALSO    [Toc]    [Back]

     csh(1),  kinit(1),  login(1),  sh(1),  skey(1),  setusercontext(3), group(5),
     login.conf(5), passwd(5), environ(7), sudo(8)

HISTORY    [Toc]    [Back]

     A su command appeared in Version 7 AT&T UNIX.

BUGS    [Toc]    [Back]

     There is no direct way to force a  particular  shell  to  be

     The  login  name is not optional for root if there are shell

OpenBSD     3.6                           July      29,      1991
[ Back ]
 Similar pages
Name OS Title
getuid Linux get user identity
setuid Linux set user identity
id OpenBSD return user identity
id FreeBSD return user identity
autologin IRIX set autologin user identity
setfsuid Linux set user identity used for file system checks
satgetid IRIX get or set audit identity
setgid Linux set group identity
getgid Linux get group identity
glcloadidentity IRIX assign identity value to GLC_BITMAP_MATRIX
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service