3 .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
4 .\" Generator: DocBook XSL Stylesheets v1.75.1 <http://docbook.sf.net/>
6 .\" Manual: User Commands
7 .\" Source: User Commands
10 .TH "SU" "1" "07/24/2009" "User Commands" "User Commands"
11 .\" -----------------------------------------------------------------
12 .\" * set default formatting
13 .\" -----------------------------------------------------------------
14 .\" disable hyphenation
16 .\" disable justification (adjust text to left margin only)
18 .\" -----------------------------------------------------------------
19 .\" * MAIN CONTENT STARTS HERE *
20 .\" -----------------------------------------------------------------
22 su \- change user ID or become superuser
25 \fBsu\fR [\fIoptions\fR] [\fIusername\fR]
30 command is used to become another user during a login session\&. Invoked without a
33 defaults to becoming the superuser\&. The optional argument
35 may be used to provide an environment similar to what the user would expect had the user logged in directly\&.
37 Additional arguments may be provided after the username, in which case they are supplied to the user\'s login shell\&. In particular, an argument of
39 will cause the next argument to be treated as a command by most command interpreters\&. The command will be executed by the shell specified in
41 for the target user\&.
47 options from the arguments supplied to the shell\&.
49 The user will be prompted for a password, if appropriate\&. Invalid passwords will produce an error message\&. All attempts, both valid and invalid, are logged to detect abuse of the system\&.
51 The current environment is passed to the new shell\&. The value of
56 /sbin:/bin:/usr/sbin:/usr/bin
57 for the superuser\&. This may be changed with the
64 A subsystem login is indicated by the presence of a "*" as the first character of the login shell\&. The given home directory will be used as the root of a new file system which the user is actually logged into\&.
67 The options which apply to the
71 \fB\-c\fR, \fB\-\-command\fR \fICOMMAND\fR
73 Specify a command that will be invoked by the shell using its
77 \fB\-\fR, \fB\-l\fR, \fB\-\-login\fR
79 Provide an environment similar to what the user would expect had the user logged in directly\&.
83 is used, it must be specified as the last
85 option\&. The other forms (\fB\-l\fR
87 \fB\-\-login\fR) do not have this restriction\&.
90 \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR
92 The shell that will be invoked\&.
94 The invoked shell is chosen from (highest priority first):
97 The shell specified with \-\-shell\&.
102 \fB\-\-preserve\-environment\fR
103 is used, the shell specified by the
105 environment variable\&.
109 The shell indicated in the
111 entry for the target user\&.
116 if a shell could not be found by any above method\&.
119 If the target user has a restricted shell (i\&.e\&. the shell field of this user\'s entry in
122 /etc/shell), then the
126 environment variable won\'t be taken into account, unless
131 \fB\-m\fR, \fB\-p\fR, \fB\-\-preserve\-environment\fR
133 Preserve the current environment, except for:
137 reset according to the
149 \(lq<space><tab><newline>\(rq, if it was set\&.
152 If the target user has a restricted shell, this option has no effect (unless
154 is called by root)\&.
156 Note that the default behavior for the environment is the following:
166 environment variables are reset\&.
172 is not used, the environment is copied, except for the variables above\&.
183 environment variables are copied if they were set\&.
193 environment variables are set according to the
206 is used, other environment variables might be set by the
216 has many compilation options, only some of which may be in use at any particular site\&.
219 The following configuration variables in
221 change the behavior of this tool:
223 \fBCONSOLE\fR (string)
225 If defined, either full pathname of a file containing device names (one per line) or a ":" delimited list of device names\&. Root logins will be allowed only upon these devices\&.
227 If not defined, root will be allowed on any device\&.
229 The device should be specified without the /dev/ prefix\&.
232 \fBCONSOLE_GROUPS\fR (string)
234 List of groups to add to the user\'s supplementary groups set when logging in on the console (as determined by the CONSOLE setting)\&. Default is none\&.
236 Use with caution \- it is possible for users to gain permanent access to these groups, even when not logged in on the console\&.
239 \fBDEFAULT_HOME\fR (boolean)
241 Indicate if login is allowed if we can\'t cd to the home directory\&. Default in no\&.
244 \fIyes\fR, the user will login in the root (/) directory if it is not possible to cd to her home directory\&.
247 \fBENV_HZ\fR (string)
249 If set, it will be used to define the HZ environment variable when a user login\&. The value must be preceded by
250 \fIHZ=\fR\&. A common value on Linux is
254 \fBENVIRON_FILE\fR (string)
256 If this file exists and is readable, login environment will be read from it\&. Every line should be in the form name=value\&.
258 Lines starting with a # are treated as comment lines and ignored\&.
261 \fBENV_PATH\fR (string)
263 If set, it will be used to define the PATH environment variable when a regular user login\&. The value can be preceded by
264 \fIPATH=\fR, or a colon separated list of paths (for example
265 \fI/bin:/usr/bin\fR)\&. The default value is
266 \fIPATH=/bin:/usr/bin\fR\&.
269 \fBENV_SUPATH\fR (string)
271 If set, it will be used to define the PATH environment variable when the superuser login\&. The value can be preceded by
272 \fIPATH=\fR, or a colon separated list of paths (for example
273 \fI/sbin:/bin:/usr/sbin:/usr/bin\fR)\&. The default value is
274 \fIPATH=/bin:/usr/bin\fR\&.
277 \fBENV_TZ\fR (string)
279 If set, it will be used to define the TZ environment variable when a user login\&. The value can be the name of a timezone preceded by
282 \fITZ=CST6CDT\fR), or the full path to the file containing the timezone specification (for example
285 If a full path is specified but the file does not exist or cannot be read, the default is to use
289 \fBLOGIN_STRING\fR (string)
291 The string used for prompting a password\&. The default is to use "Password: ", or a translation of that string\&. If you set this variable, the prompt will no be translated\&.
293 If the string contains
294 \fI%s\fR, this will be replaced by the user\'s name\&.
297 \fBMAIL_CHECK_ENAB\fR (boolean)
299 Enable checking and display of mailbox status upon login\&.
301 You should disable it if the shell startup files already check for mail ("mailx \-e" or equivalent)\&.
304 \fBMAIL_DIR\fR (string)
306 The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&.
309 \fBMAIL_FILE\fR (string)
311 Defines the location of the users mail spool files relatively to their home directory\&.
318 variables are used by
322 to create, move, or delete the user\'s mail spool\&.
325 \fBMAIL_CHECK_ENAB\fR
327 \fIyes\fR, they are also used to define the
329 environment variable\&.
331 \fBQUOTAS_ENAB\fR (boolean)
333 Enable setting of ulimit, umask, and niceness from passwd gecos field\&.
336 \fBSULOG_FILE\fR (string)
338 If defined, all su activity is logged to this file\&.
341 \fBSU_NAME\fR (string)
343 If defined, the command name to display when running "su \-"\&. For example, if this is defined as "su" then a "ps" will display the command is "\-su"\&. If not defined, then "ps" would display the name of the shell actually being run, e\&.g\&. something like "\-sh"\&.
346 \fBSU_WHEEL_ONLY\fR (boolean)
349 \fIyes\fR, the user must be listed as a member of the first gid 0 group in
353 on most Linux systems) to be able to
355 to uid 0 accounts\&. If the group doesn\'t exist or is empty, no one will be able to
360 \fBSYSLOG_SU_ENAB\fR (boolean)
362 Enable "syslog" logging of
364 activity \- in addition to sulog file logging\&.
367 \fBUSERGROUPS_ENAB\fR (boolean)
369 Enable setting of the umask group bits to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007) for non\-root users, if the uid is the same as gid, and username is the same as the primary group name\&.
374 will remove the user\'s group if it contains no more members, and
376 will create by default a group with the name of the user\&.
382 User account information\&.
387 Secure user account information\&.
392 Shadow password suite configuration\&.