su (8) ( Русские man: Команды системного администрирования )
BSD mandoc
NAME
su
- substitute user identity
SYNOPSIS
[-
]
[-flms
]
[-c class
]
[login [args
]
]
DESCRIPTION
The
utility requests appropriate user credentials via PAM
and switches to that user ID
(the default user is the superuser).
A shell is then executed.
PAM is used to set the policy
su(1)
will use.
In particular, by default only users in the
``wheel
''
group can switch to UID 0
(``root
''
)
This group requirement may be changed by modifying the
``pam_group
''
section of
/etc/pam.d/su
See
pam_group8
for details on how to modify this setting.
By default, the environment is unmodified with the exception of
USERHOME
and
SHELLHOME
and
SHELL
are set to the target login's default values.
USER
is set to the target login, unless the target login has a user ID of 0,
in which case it is unmodified.
The invoked shell is the one belonging to the target login.
This is the traditional behavior of
.
Resource limits and session priority applicable to the original user's
login class (see
login.conf5)
are also normally retained unless the target login has a user ID of 0.
The options are as follows:
-f
If the invoked shell is
csh(1),
this option prevents it from reading the
``.cshrc
''
file.
-l
Simulate a full login.
The environment is discarded except for
HOMESHELLPATHTERM
and
USERHOME
and
SHELL
are modified as above.
USER
is set to the target login.
PATH
is set to
``/bin:/usr/bin
''
TERM
is imported from your current environment.
Environment variables may be set or overridden from the login class
capabilities database according to the class of the target login.
The invoked shell is the target login's, and
will change directory to the target login's home directory.
Resource limits and session priority are modified to that for the
target account's login class.
-
(no letter) The same as
-l
-m
Leave the environment unmodified.
The invoked shell is your login shell, and no directory changes are made.
As a security precaution, if the target user's shell is a non-standard
shell (as defined by
getusershell(3))
and the caller's real uid is
non-zero,
will fail.
-s
Set the MAC label to the user's default label as part of the user
credential setup.
Setting the MAC label may fail if the MAC label of the invoking process
is not sufficient to transition to the user's default MAC label.
If the label cannot be set,
will fail.
-c class
Use the settings of the specified login class.
Only allowed for the super-user.
The
-l
(or
-)
and
-m
options are mutually exclusive; the last one specified
overrides any previous ones.
If the optional
args
are provided on the command line, they are passed to the login shell of
the target login.
Note that all command line arguments before the target login name are
processed by
itself, everything after the target login name gets passed to the login
shell.
By default (unless the prompt is reset by a startup file) the super-user
prompt is set to
``#
''
to remind one of its awesome power.
ENVIRONMENT
Environment variables used by
:
HOME
Default home directory of real user ID unless modified as
specified above.
PATH
Default search path of real user ID unless modified as specified above.
TERM
Provides terminal type which may be retained for the substituted
user ID.
USER
The user ID is always the effective ID (the target user ID) after an
unless the user ID is 0 (root).
FILES
/etc/pam.d/su
PAM configuration for
.
EXAMPLES
su -m man -c catman
Runs the command
catman
as user
man
You will be asked for man's password unless your real UID is 0.
Note that the
-m
option is required since user
``man''
does not have a valid shell by default.
su -m man -c 'catman /usr/share/man /usr/local/man'
Same as above, but the target command consists of more than a
single word and hence is quoted for use with the
-c
option being passed to the shell.
(Most shells expect the argument to
-c
to be a single word).
su -m -c staff man -c 'catman /usr/share/man /usr/local/man'
Same as above, but the target command is run with the resource limits of
the login class
``staff''
Note: in this example, the first
-c
option applies to
while the second is an argument to the shell being invoked.
