su - Substitutes user ID temporarily
su [-p username | hostname] [- | -f] [username]
[shell_option] [shell_command]
Specifies the principal to use for Kerberos authentication.
This option is ignored if the user name is not root
or if the system is not configured in a Kerberos realm.
Prevents the user's shell initialization file from being
executed by passing the -f option to the user shell, thus
making su start up faster. The -f option is supported by
the csh family of shells. Simulates a full login by executing
the commands in either the and files for csh or the
file for sh and ksh, and by setting the current working
directory to the user home directory. Passes the specified
shell option flag to the newly invoked user's shell
for execution. The shell_option must be supported by the
invoked shell. The csh, sh, ksh, and any other interactive
command shell support the commonly used -c shell option.
By default (no shell_option), the shell is opened with the
-i (interactive) shell option. See the reference page for
the shell you are using for more information on the shell
options. Passes the specified command to the newly
invoked user's shell for execution. The shell_command
must be supported by the invoked shell.
The su command requires the password of the specified
username, and if it is given, changes to that username and
invokes the user shell without changing the current directory.
If the - option is used, the user environment changes as
if the specified user has logged in. Otherwise, the environment
is passed along.
If no username is specified, the root user account is
assumed. Only users who belong to group number 0 (system)
can issue su to become root, even with the root password.
To remind superusers of their responsibilities, the shell
substitutes a # (number sign) for its usual prompt.
Shell commands may be passed to the shell that is spawned
by su by including them on the command line after the su
flags and arguments. After the flags recognized by su and
the user argument are processed, unrecognized command line
flags (shell_options) and/or arguments (shell_commands)
are passed to the shell for execution. If the spawned
shell does not support the command or the format of the
command, the command is not executed and the resulting
shell behavior and error messages are determined by the
shell.
Security Restrictions [Toc] [Back]
The su command fails if any lock conditions exist on the
target account. Specifically, if the destination account
was retired, if the number of unsuccessful login attempts
exceeds the maximum allowed, if the administrative lock
was applied, or the password's lifetime was exceeded, the
administrator must unlock the destination account before
any user can log in to it or use su to transition to it.
The su command uses the Security Integration Architecture
(SIA) routine as an interface to installed security modules
to perform user authentication. When the installed
Kerberos SIA module is used, the su command does not
change the user ID to the specified username until the su
command authenticates the user in one of the following
ways: If you specify a username, the su command attempts
to authenticate the Kerberos principal username@realm,
where username is the specified user's account name, and
realm is the default Kerberos realm of the host where the
su command was entered. If you do not specify a username,
the su command attempts to authenticate the principal
root@realm. If you are logged in as root and enter the su
command with the -p option, the su command does not reauthenticate
and it immediately changes the user ID to the
specified user. If you change users and Kerberos authentication
fails, the su command attempts to use password
authentication by using the /etc/passwd file, provided
that the BSD SIA module is configured on the local system.
If a user has a username/root@realm principal in the Kerberos
database, the user can enter the -p username option
to force the su command to authenticate using that principal
instead of the username@realm principal. The advantage
to this authentication is that it grants the user temporary
root permissions (as specified in the username/root@realm
principal) without requiring that the user
know the enterprise root password. Instead, the user must
only know the password associated with the username/root@realm
principal. If the host computer has a
root/hostname@realm principal in the Kerberos database,
the user can enter the -p hostname option to force the su
command to authenticate using that principal instead of a
user principal. The advantage to this authentication is
that it grants the user temporary root permissions on a
particular host (as specified in the root/hostname@realm
principal) without requiring that the user know the enterprise
root password. Instead, the user must only know the
password associated with the root/hostname@realm principal.
ENVIRONMENT VARIABLES [Toc] [Back] The following environment variables affect the behavior of
su:
If you are logged in as john on a system called mymachine
in a Kerberos realm called myrealm, the Kerberos database
contains the principals john/root@myrealm and root/mymachine@myrealm.
To be authenticated as john/root@myrealm, enter: $
su -p user
To be authenticated as root/mymachine@myrealm,
enter: $ su -h host
Provides the matrix that selects the appropriate installed
security module.
Commands: csh(1), kinit(1), kdestroy(1), klist(1),
ksh(1), sh(1)
Files: matrix.conf(4)
Guides: Security Administration
su(1)
[ Back ] |