unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 su(1)								       su(1)




 NAME
      su - switch user

 SYNOPSIS
      su [-] [username [arguments]]

 DESCRIPTION
      The su (set user or superuser) command allows one user to become
      another user without logging out.

      username is the name of a user defined in the /etc/passwd file (see
      passwd(4)).  The default name is root (that is, superuser).

      To use su, the appropriate password must be supplied unless the
      current user is superuser.  If a valid password is entered, su
      executes a new shell with the real and effective user ID, real and
      effective group ID, and group access list set to that of the specified
      user.  The new shell is the one specified in the shell field of the
      new user's entry in the password file, /etc/passwd.

      The arguments are passed along to the new shell for execution,
      permitting the user to run shell procedures with the new user's
      privileges.

      When exiting from the new shell, the previous username and environment
      are restored.

      If the - option is specified, the new shell starts up as if the new
      user had initiated a new login session.  Exceptions are as follows:

	+  The HOME variable is reset to the new user's home directory.

	+  If the new user name is root, the path and prompt variables are
	   reset:

	   PATH=/usr/bin:/usr/sbin:/sbin
	   PS1=#

	   For other user names:

	   PATH=/usr/bin
	   PS1=$

	+  The TERM variable is retained.

	+  The rest of the environment is deleted and reset to the login
	   state.  However, the login files are normally executed anyway,
	   usually restoring the expected value of PATH and other variables.

      If the - option is omitted, the new shell starts as if a subshell was
      invoked.	Exceptions are as follows:



 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000






 su(1)								       su(1)




	+  If the new user name is root, the path and prompt variables are
	   reset:

	   PATH=/usr/bin:/usr/sbin:/sbin
	   PS1=#

	+  The previously defined HOME and ENV environment variables are
	   removed.

	+  The rest of the environment is retained.

      If the shell specified in /etc/passwd is /usr/bin/sh, su sets the
      value of parameter 0 in the new shell (referenced as $0) to su.  If
      the - option of the su command is specified, su sets parameter 0 to
      -su.

      If the shell specified in /etc/passwd is not /usr/bin/sh, su sets the
      value of parameter 0 in the new shell to shellname.  If the - option
      of the su command is specified, su sets parameter 0 to -shellname.
      For example, if the Korn shell is invoked, the value of shellname will
      be either ksh or -ksh.

      By comparison, the login command always sets parameter 0 to
      -shellname.

      All attempts to become another user are logged in /var/adm/sulog,
      including failures.  Successful attempts are flagged with +; failures,
      with -.  They are also logged with syslog() (see syslog(3C)).

    HP-UX Smart Card Login
      If the user account is configured to use a Smart Card, the user
      password is stored in the card.  This password has characteristics
      identical to a normal password stored on the system.

      In order to su using a Smart Card account, the Smart Card from the
      destination user account must be inserted into the Smart Card reader.
      The user is prompted for a PIN instead of a password during
      authentication.

	   Enter PIN:

      The password is retrieved automatically from the Smart Card when a
      valid PIN is entered.  Therefore, it is not necessary to know the
      password, only the PIN.

      The card is locked if an incorrect PIN is entered three consecutive
      times.  It may be unlocked only by the card issuer.

 SECURITY FEATURES
      Except for user root, users on a trusted system cannot use su to
      change to an account that has been locked because of expired passwords



 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000






 su(1)								       su(1)




      or other access restrictions.

      Refer to the /etc/default/security file in the security(4) manual page
      for detailed information on configurable parameters that affect the
      behavior of this command.	 Currently, the supported parameters for the
      su command are:

	   SU_ROOT_GROUP

	   SU_DEFAULT_PATH

 EXTERNAL INFLUENCES
    Environment Variables
      HOME	     User's home directory

      LANG	     The language in which messages are displayed.  If LANG
		     is not specified or is null, it defaults to C (see
		     lang(5)).	If any internationalization variable
		     contains an invalid setting, all internationalization
		     variables default to C (see environ(5)).

      LOGNAME	     User's login name

      PATH	     Command name search path

      PS1	     Default prompt

      SHELL	     Name of the user's shell

    International Code Set Support
      Characters in the 7-bit US-ASCII code sets are supported in login
      names (see ascii(5)).

 EXAMPLES
      Become user bin while retaining the previously exported environment:

	   su bin

      Become user bin but change the environment to what would be expected
      if bin had originally logged in:

	   su - bin

      Execute command and its arguments using the temporary environment and
      permissions of user bin:

	   su - bin -c command arguments

 WARNINGS
      After a valid password is supplied, su uses information from
      /etc/passwd and /etc/logingroup to determine the user's group ID and



 Hewlett-Packard Company	    - 3 -   HP-UX Release 11i: November 2000






 su(1)								       su(1)




      group access list.  If /etc/group is linked to /etc/logingroup, and
      group membership for the user trying to log in is managed by the
      Network Information Service (NIS), and no NIS server is able to
      respond, su waits until a server does respond.

      In normal operation, root is able to su to another user's account
      without being prompted for a password.  However, DCE (Distributed
      Computing Environment) credentials for a user cannot be obtained
      without that user's password.  Therefore, if DCE is being used as the
      authentication mechanism, and root wants to su to another user's
      account and get DCE credentials for that user, the -d flag must be
      specified.  With this flag set, root will be prompted for the user's
      password and should supply that user's password at the prompt.  For
      example:

	   su -d DCEPrincipalName

      The -d flag cannot be used with -c flag.

 DEPENDENCIES
    Pluggable Authentication Modules (PAM)
      PAM is an Open Group standard for user authentication, password
      modification, and account validation.  In particular,
      pam_authenticate() is invoked to perform all functions related to su.
      This includes password retrieval, account validation, and error
      message displays.

 FILES
      $HOME/.profile	      User's profile
      /etc/logingroup	      System's default group access list file
      /etc/passwd	      System's password file
      /etc/profile	      System's profile
      /var/adm/sulog	      Log of all attempts
      /etc/default/security   Security defaults configuration file

 SEE ALSO
      env(1), login(1), sh(1), initgroups(3C), syslog(3C), group(4),
      passwd(4), profile(4), security(4), environ(5).

    Pluggable Authentication Modules (PAM)
      pam_acct_mgmt(3), pam_authenticate(3).

    HP-UX Smart Card Login
      scpin(1).

 STANDARDS CONFORMANCE
      su: SVID2, SVID3, XPG2







 Hewlett-Packard Company	    - 4 -   HP-UX Release 11i: November 2000