*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Tru64 Unix man pages -> su (1)              
Title
Content
Arch
Section
 

su(1)

Contents


NAME    [Toc]    [Back]

       su - Substitutes user ID temporarily

SYNOPSIS    [Toc]    [Back]

       su   [-p   username   |  hostname]  [-  |  -f]  [username]
       [shell_option] [shell_command]

OPTIONS    [Toc]    [Back]

       Specifies the principal to use  for  Kerberos  authentication.
  This option is ignored if the user name is not root
       or if the system is not configured in  a  Kerberos  realm.
       Prevents  the  user's shell initialization file from being
       executed by passing the -f option to the user shell,  thus
       making  su start up faster.  The -f option is supported by
       the csh family of shells.  Simulates a full login by  executing
 the commands in either the and files for csh or the
       file for sh and ksh, and by setting  the  current  working
       directory  to  the user home directory.  Passes the specified
 shell option flag to the newly invoked  user's  shell
       for  execution.  The shell_option must be supported by the
       invoked shell. The csh, sh, ksh, and any other interactive
       command  shell  support the commonly used -c shell option.
       By default (no shell_option), the shell is opened with the
       -i (interactive) shell option.  See the reference page for
       the shell you are using for more information on the  shell
       options.   Passes  the  specified  command  to  the  newly
       invoked user's shell  for  execution.   The  shell_command
       must be supported by the invoked shell.

DESCRIPTION    [Toc]    [Back]

       The  su  command  requires  the  password of the specified
       username, and if it is given, changes to that username and
       invokes the user shell without changing the current directory.


       If the - option is used, the user environment  changes  as
       if  the specified user has logged in. Otherwise, the environment
 is passed along.

       If no username is specified,  the  root  user  account  is
       assumed.  Only users who belong to group number 0 (system)
       can issue su to become root, even with the root  password.
       To  remind superusers of their responsibilities, the shell
       substitutes a # (number sign) for its usual prompt.

       Shell commands may be passed to the shell that is  spawned
       by  su  by including them on the command line after the su
       flags and arguments. After the flags recognized by su  and
       the user argument are processed, unrecognized command line
       flags (shell_options)  and/or  arguments  (shell_commands)
       are  passed  to  the  shell  for execution. If the spawned
       shell does not support the command or the  format  of  the
       command,  the  command  is  not executed and the resulting
       shell behavior and error messages are  determined  by  the
       shell.







   Security Restrictions    [Toc]    [Back]
       The  su  command fails if any lock conditions exist on the
       target account.  Specifically, if the destination  account
       was  retired, if the number of unsuccessful login attempts
       exceeds the maximum allowed, if  the  administrative  lock
       was  applied, or the password's lifetime was exceeded, the
       administrator must unlock the destination  account  before
       any user can log in to it or use su to transition to it.

SECURITY NOTE    [Toc]    [Back]

       The  su command uses the Security Integration Architecture
       (SIA) routine as an interface to installed  security  modules
  to  perform  user authentication. When the installed
       Kerberos SIA module is  used,  the  su  command  does  not
       change  the user ID to the specified username until the su
       command authenticates the user in  one  of  the  following
       ways:  If  you specify a username, the su command attempts
       to authenticate  the  Kerberos  principal  username@realm,
       where  username  is the specified user's account name, and
       realm is the default Kerberos realm of the host where  the
       su command was entered.  If you do not specify a username,
       the su command  attempts  to  authenticate  the  principal
       root@realm.  If you are logged in as root and enter the su
       command with the -p option, the su command does not  reauthenticate
  and  it immediately changes the user ID to the
       specified user. If you change users and Kerberos authentication
  fails,  the  su  command  attempts to use password
       authentication by using  the  /etc/passwd  file,  provided
       that the BSD SIA module is configured on the local system.
       If a user has a username/root@realm principal in the  Kerberos
  database, the user can enter the -p username option
       to force the su command to authenticate using that principal
 instead of the username@realm principal. The advantage
       to this authentication is that it grants the  user  temporary
   root   permissions   (as  specified  in  the  username/root@realm
 principal) without requiring that the user
       know the enterprise root password.  Instead, the user must
       only  know  the  password  associated   with   the   username/root@realm
  principal.   If  the  host computer has a
       root/hostname@realm principal in  the  Kerberos  database,
       the  user can enter the -p hostname option to force the su
       command to authenticate using that principal instead of  a
       user  principal.  The  advantage to this authentication is
       that it grants the user temporary root  permissions  on  a
       particular  host  (as specified in the root/hostname@realm
       principal) without requiring that the user know the enterprise
  root password. Instead, the user must only know the
       password associated with the  root/hostname@realm  principal.

ENVIRONMENT VARIABLES    [Toc]    [Back]

       The following environment variables affect the behavior of
       su:

EXAMPLES    [Toc]    [Back]

       If you are logged in as john on a system called  mymachine
       in a Kerberos  realm called myrealm, the Kerberos database
       contains the principals john/root@myrealm  and  root/mymachine@myrealm.


              To  be authenticated as john/root@myrealm, enter: $
              su -p user

              To  be  authenticated  as   root/mymachine@myrealm,
              enter: $ su -h host

FILES    [Toc]    [Back]

       Provides the matrix that selects the appropriate installed
       security module.

SEE ALSO    [Toc]    [Back]

      
      
       Commands:  csh(1),   kinit(1),   kdestroy(1),    klist(1),
       ksh(1), sh(1)

       Files: matrix.conf(4)

       Guides: Security Administration



                                                            su(1)
[ Back ]
 Similar pages
Name OS Title
openpam_borrow_cred FreeBSD temporarily borrow user credentials
busy Linux Make Tk widgets busy, temporarily blocking user interactions.
vc HP-UX substitutes assigned values in place of identification keywords.
Term::ReadLine IRIX Perl interface to various readline packages. If no real package is found, substitutes stubs instead of basic f
DXmSvnDisableDisplay Tru64 Temporarily disables the SVN widget from generating a display.
DtEditorDisableRedisplay HP-UX temporarily prevent visual update of a DtEditor widget
DXmCSTextDisableRedisplay Tru64 A Text function that temporarily prevents visual update of the DXmCSText widget
XmTextDisableRedisplay Tru64 A Text function that temporarily prevents visual update of the Text widget
XmTextDisableRedisplay HP-UX A Text function that temporarily prevents visual update of the Text widget
XmTextDisableRedisplay IRIX A Text function that temporarily prevents visual update of the Text widget
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service