Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > S

su(1)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

su — switch user

SYNOPSIS

su [-] [username [arguments]]

su [-] -d [username]

DESCRIPTION

The su (set user or superuser) command allows one user to become another user without logging out.

username is the name of a user defined in the /etc/passwd file (see passwd(4)). The default name is root (that is, superuser).

To use su, the appropriate password must be supplied unless the current user is superuser and is not using the -d option. If a valid password is entered, su executes a new shell with the real and effective user ID, real and effective group ID, and group access list set to that of the specified user. The new shell is the one specified in the shell field of the new user's entry in the password file, /etc/passwd.

The arguments are passed along to the new shell for execution, permitting the user to run shell procedures with the new user's privileges.

When exiting from the new shell, the previous username and environment are restored.

All attempts to become another user are logged in /var/adm/sulog, including failures. Successful attempts are flagged with +; failures, with -. They are also logged with syslog() (see syslog(3C)).

Options

su recognizes the following options:

-

If the - option is specified, the new shell starts up as if the new user had initiated a new login session. If the - option is omitted, the new shell starts as if a subshell was invoked. See more details below.

-d

If DCE (Distributed Computing Environment) is being used as the authentication mechanism, the -d option must be specified. With this option, even superuser will be prompted for the user's password. The reason for this is because DCE credentials for a user cannot be obtained without that user's password.

This option cannot be used with shell arguments.

If the - option is specified, the new shell starts up as if the new user had initiated a new login session. Exceptions are as follows:

  • The HOME variable is reset to the new user's home directory.

  • If the new user name is root, the path and prompt variables are reset:

    PATH=/usr/bin:/usr/sbin:/sbin PS1=#

    For other user names:

    PATH=/usr/bin PS1=$

  • The TERM variable is retained.

  • The rest of the environment is deleted and reset to the login state. However, the login files are normally executed anyway, usually restoring the expected value of PATH and other variables.

If the - option is omitted, the new shell starts as if a subshell was invoked. Exceptions are as follows:

  • If the new user name is root, the path and prompt variables are reset:

    PATH=/usr/bin:/usr/sbin:/sbin PS1=#

  • The previously defined HOME and ENV environment variables are removed.

  • The rest of the environment is retained.

    If the shell specified in /etc/passwd is /usr/bin/sh, su sets the value of parameter 0 in the new shell (referenced as $0) to su. If the - option of the su command is specified, su sets parameter 0 to -su.

    If the shell specified in /etc/passwd is not /usr/bin/sh, su sets the value of parameter 0 in the new shell to shellname. If the - option of the su command is specified, su sets parameter 0 to -shellname. For example, if the Korn shell is invoked, the value of shellname will be either ksh or -ksh.

    By comparison, the login command always sets parameter 0 to -shellname.

HP-UX Smart Card Login

If the user account is configured to use a Smart Card, the user password is stored in the card. This password has characteristics identical to a normal password stored on the system.

In order to su using a Smart Card account, the Smart Card from the destination user account must be inserted into the Smart Card reader. The user is prompted for a PIN instead of a password during authentication.

Enter PIN:

The password is retrieved automatically from the Smart Card when a valid PIN is entered. Therefore, it is not necessary to know the password, only the PIN.

The card is locked if an incorrect PIN is entered three consecutive times. It may be unlocked only by the card issuer.

SECURITY FEATURES

Except for user root, users cannot use su to change to an account that has been locked because of expired passwords or other access restrictions.

Refer to the /etc/default/security file in the security(4) manual page for detailed information on configurable parameters that affect the behavior of this command. Currently, the supported parameters for the su command are:

  • SU_ROOT_GROUP

  • SU_DEFAULT_PATH

    SU_KEEP_ENV_VARS

EXTERNAL INFLUENCES

Environment Variables

HOME

User's home directory

LANG

The language in which messages are displayed. If LANG is not specified or is null, it defaults to C (see lang(5)). If any internationalization variable contains an invalid setting, all internationalization variables default to C (see environ(5)).

LOGNAME

User's login name

PATH

Command name search path

PS1

Default prompt

SHELL

Name of the user's shell

International Code Set Support

Characters in the 7-bit US-ASCII code sets are supported in login names (see ascii(5)).

EXAMPLES

Become user bin while retaining the previously exported environment:

su bin

Become user bin but change the environment to what would be expected if bin had originally logged in:

su - bin

Execute the command, 'echo hello', using the temporary environment and permissions of user bin. In this example, user bin's shell is invoked with the arguments -c 'echo hello'.

su bin -c 'echo hello'

Become user DCEPrincipal in the DCE environment:

su -d DCEPrincipal

WARNINGS

After a valid password is supplied, su uses information from /etc/passwd and /etc/logingroup to determine the user's group ID and group access list. If /etc/group is linked to /etc/logingroup, and group membership for the user trying to log in is managed by the Network Information Service (NIS), and no NIS server is able to respond, su waits until a server does respond.

DEPENDENCIES

Pluggable Authentication Modules (PAM)

PAM is an Open Group standard for user authentication, password modification, and account validation. In particular, pam_authenticate() is invoked to perform all functions related to su. This includes password retrieval, account validation, and error message displays.

FILES

$HOME/.profile

User's profile

/etc/logingroup

System's default group access list file

/etc/passwd

System's password file

/etc/profile

System's profile

/var/adm/sulog

Log of all attempts

/etc/default/security

Security defaults configuration file

SEE ALSO

env(1), login(1), sh(1), initgroups(3C), syslog(3C), group(4), passwd(4), profile(4), security(4), environ(5).

Pluggable Authentication Modules (PAM)

pam_acct_mgmt(3), pam_authenticate(3).

HP-UX Smart Card Login

scpin(1).

STANDARDS CONFORMANCE

su: SVID2, SVID3, XPG2

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.