 |
Index for
Section 1 |
|
 |
Alphabetical
listing for S |
|
 |
Bottom of
page |
|
su(1)
NAME
su - Substitutes user ID temporarily
SYNOPSIS
su [-p username | hostname] [- | -f] [username] [shell_option]
[shell_command]
OPTIONS
-p username | hostname
Specifies the principal to use for Kerberos authentication. This
option is ignored if the user name is not root or if the system is not
configured in a Kerberos realm.
-f Prevents the user's shell initialization file from being executed by
passing the -f option to the user shell, thus making su start up
faster. The -f option is supported by the csh family of shells.
- Simulates a full login by executing the commands in either the .cshrc
and .login files for csh or the .profile file for sh and ksh, and by
setting the current working directory to the user home directory.
shell_option
Passes the specified shell option flag to the newly invoked user's
shell for execution. The shell_option must be supported by the invoked
shell. The csh, sh, ksh, and any other interactive command shell
support the commonly used -c shell option. By default (no
shell_option), the shell is opened with the -i (interactive) shell
option. See the reference page for the shell you are using for more
information on the shell options.
shell_command
Passes the specified command to the newly invoked user's shell for
execution. The shell_command must be supported by the invoked shell.
DESCRIPTION
The su command requires the password of the specified username, and if it
is given, changes to that username and invokes the user shell without
changing the current directory.
If the - option is used, the user environment changes as if the specified
user has logged in. Otherwise, the environment is passed along.
If no username is specified, the root user account is assumed. Only users
who belong to group number 0 (system) can issue su to become root, even
with the root password. To remind superusers of their responsibilities,
the shell substitutes a # (number sign) for its usual prompt.
Shell commands may be passed to the shell that is spawned by su by
including them on the command line after the su flags and arguments. After
the flags recognized by su and the user argument are processed,
unrecognized command line flags (shell_options) and/or arguments
(shell_commands) are passed to the shell for execution. If the spawned
shell does not support the command or the format of the command, the
command is not executed and the resulting shell behavior and error messages
are determined by the shell.
Security Restrictions
The su command fails if any lock conditions exist on the target account.
Specifically, if the destination account was retired, if the number of
unsuccessful login attempts exceeds the maximum allowed, if the
administrative lock was applied, or the password's lifetime was exceeded,
the administrator must unlock the destination account before any user can
log in to it or use su to transition to it.
SECURITY NOTE
The su command uses the Security Integration Architecture (SIA) routine as
an interface to installed security modules to perform user authentication.
When the installed Kerberos SIA module is used, the su command does not
change the user ID to the specified username until the su command
authenticates the user in one of the following ways:
· If you specify a username, the su command attempts to authenticate the
Kerberos principal username@realm, where username is the specified
user's account name, and realm is the default Kerberos realm of the
host where the su command was entered.
· If you do not specify a username, the su command attempts to
authenticate the principal root@realm.
· If you are logged in as root and enter the su command with the -p
option, the su command does not reauthenticate and it immediately
changes the user ID to the specified user. If you change users and
Kerberos authentication fails, the su command attempts to use password
authentication by using the /etc/passwd file, provided that the BSD
SIA module is configured on the local system.
· If a user has a username/root@realm principal in the Kerberos
database, the user can enter the -p username option to force the su
command to authenticate using that principal instead of the
username@realm principal. The advantage to this authentication is that
it grants the user temporary root permissions (as specified in the
username/root@realm principal) without requiring that the user know
the enterprise root password. Instead, the user must only know the
password associated with the username/root@realm principal.
· If the host computer has a root/hostname@realm principal in the
Kerberos database, the user can enter the -p hostname option to force
the su command to authenticate using that principal instead of a user
principal. The advantage to this authentication is that it grants the
user temporary root permissions on a particular host (as specified in
the root/hostname@realm principal) without requiring that the user
know the enterprise root password. Instead, the user must only know
the password associated with the root/hostname@realm principal.
ENVIRONMENT VARIABLES
The following environment variables affect the behavior of su:
EXAMPLES
1. If you are logged in as john on a system called mymachine in a
Kerberos realm called myrealm, the Kerberos database contains the
principals john/root@myrealm and root/mymachine@myrealm.
To be authenticated as john/root@myrealm, enter:
$ su -p user
To be authenticated as root/mymachine@myrealm, enter:
$ su -h host
FILES
matrix.conf
Provides the matrix that selects the appropriate installed security
module.
SEE ALSO
Commands: csh(1), kinit(1), kdestroy(1), klist(1), ksh(1), sh(1)
Files: matrix.conf(4)
Guides: Security Administration
|
Index for
Section 1 |
|
|
Alphabetical
listing for S |
|
 |
Top of
page |
|