SU

Additional arguments may be provided after the username, in which case they are supplied to the user's login shell. In particular, an argument of -c will cause the next argument to be treated as a command by most command interpreters. The command will be executed by the shell specified in /etc/passwd for the target user.

You can use the -- argument to separate su options from the arguments supplied to the shell.

The user will be prompted for a password, if appropriate. Invalid passwords will produce an error message. All attempts, both valid and invalid, are logged to detect abuse of the system.

The current environment is passed to the new shell. The value of $PATH is reset to /bin:/usr/bin for normal users, or /sbin:/bin:/usr/sbin:/usr/bin for the superuser. This may be changed with the ENV_PATH and ENV_SUPATH definitions in /etc/login.defs.

A subsystem login is indicated by the presence of a "*" as the first character of the login shell. The given home directory will be used as the root of a new file system which the user is actually logged into.  

OPTIONS

The options which apply to the su command are:

-c, --command COMMAND

Specify a command that will be invoked by the shell using its -c.

The executed command will have no controlling terminal. This option cannot be used to execute interactive programs which need a controlling TTY.

-, -l, --login

Provide an environment similar to what the user would expect had the user logged in directly.

When - is used, it must be specified before any username. For portability it is recommended to use it as last option, before any username. The other forms (-l and --login) do not have this restriction.

-s, --shell SHELL

The shell that will be invoked.

The invoked shell is chosen from (highest priority first):

The shell specified with --shell.

If --preserve-environment is used, the shell specified by the $SHELL environment variable.

The shell indicated in the /etc/passwd entry for the target user.

/bin/sh if a shell could not be found by any above method.

If the target user has a restricted shell (i.e. the shell field of this user's entry in /etc/passwd is not listed in /etc/shells), then the --shell option or the $SHELL environment variable won't be taken into account, unless su is called by root.

-m, -p, --preserve-environment

Preserve the current environment, except for:

$PATH

reset according to the /etc/login.defs options ENV_PATH or ENV_SUPATH (see below);

$IFS

reset to lq<space><tab><newline>rq, if it was set.

If the target user has a restricted shell, this option has no effect (unless su is called by root).

Note that the default behavior for the environment is the following:

The $HOME, $SHELL, $USER, $LOGNAME, $PATH, and $IFS environment variables are reset.

If --login is not used, the environment is copied, except for the variables above.

If --login is used, the $TERM, $COLORTERM, $DISPLAY, and $XAUTHORITY environment variables are copied if they were set.

If --login is used, the $TZ, $HZ, and $MAIL environment variables are set according to the /etc/login.defs options ENV_TZ, ENV_HZ, MAIL_DIR, and MAIL_FILE (see below).

If --login is used, other environment variables might be set by the ENVIRON_FILE file (see below).

CAVEATS

This version of su has many compilation options, only some of which may be in use at any particular site.  

CONFIGURATION

The following configuration variables in /etc/login.defs change the behavior of this tool:

CONSOLE (string)

If defined, either full pathname of a file containing device names (one per line) or a ":" delimited list of device names. Root logins will be allowed only upon these devices.

If not defined, root will be allowed on any device.

The device should be specified without the /dev/ prefix.

CONSOLE_GROUPS (string)

List of groups to add to the user's supplementary groups set when logging in on the console (as determined by the CONSOLE setting). Default is none.

Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console.

DEFAULT_HOME (boolean)

Indicate if login is allowed if we can't cd to the home directory. Default is no.

If set to yes, the user will login in the root (/) directory if it is not possible to cd to her home directory.

ENV_HZ (string)

If set, it will be used to define the HZ environment variable when a user login. The value must be preceded by HZ=. A common value on Linux is HZ=100.

ENVIRON_FILE (string)

If this file exists and is readable, login environment will be read from it. Every line should be in the form name=value.

Lines starting with a # are treated as comment lines and ignored.

ENV_PATH (string)

If set, it will be used to define the PATH environment variable when a regular user login. The value is a colon separated list of paths (for example /bin:/usr/bin) and can be preceded by PATH=. The default value is PATH=/bin:/usr/bin.

ENV_SUPATH (string)

If set, it will be used to define the PATH environment variable when the superuser login. The value is a colon separated list of paths (for example /sbin:/bin:/usr/sbin:/usr/bin) and can be preceded by PATH=. The default value is PATH=/sbin:/bin:/usr/sbin:/usr/bin.

ENV_TZ (string)

If set, it will be used to define the TZ environment variable when a user login. The value can be the name of a timezone preceded by TZ= (for example TZ=CST6CDT), or the full path to the file containing the timezone specification (for example /etc/tzname).

If a full path is specified but the file does not exist or cannot be read, the default is to use TZ=CST6CDT.

LOGIN_STRING (string)

The string used for prompting a password. The default is to use "Password: ", or a translation of that string. If you set this variable, the prompt will not be translated.

If the string contains %s, this will be replaced by the user's name.

MAIL_CHECK_ENAB (boolean)

Enable checking and display of mailbox status upon login.

You should disable it if the shell startup files already check for mail ("mailx -e" or equivalent).

MAIL_DIR (string)

The mail spool directory. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted. If not specified, a compile-time default is used.

MAIL_FILE (string)

Defines the location of the users mail spool files relatively to their home directory.

The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod, and userdel to create, move, or delete the user's mail spool.

If MAIL_CHECK_ENAB is set to yes, they are also used to define the MAIL environment variable.

QUOTAS_ENAB (boolean)

Enable setting of resource limits from /etc/limits and ulimit, umask, and niceness from the user's passwd gecos field.

SULOG_FILE (string)

If defined, all su activity is logged to this file.

SU_NAME (string)

If defined, the command name to display when running "su -". For example, if this is defined as "su" then a "ps" will display the command is "-su". If not defined, then "ps" would display the name of the shell actually being run, e.g. something like "-sh".

SU_WHEEL_ONLY (boolean)

If yes, the user must be listed as a member of the first gid 0 group in /etc/group (called root on most Linux systems) to be able to su to uid 0 accounts. If the group doesn't exist or is empty, no one will be able to su to uid 0.

SYSLOG_SU_ENAB (boolean)

Enable "syslog" logging of su activity - in addition to sulog file logging.

USERGROUPS_ENAB (boolean)

Enable setting of the umask group bits to be the same as owner bits (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.

If set to yes, userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user.

FILES

/etc/passwd

User account information.

/etc/shadow

Secure user account information.

/etc/login.defs

Shadow password suite configuration.

EXIT VALUES

On success, su returns the exit value of the command it executed.

If this command was terminated by a signal, su returns the number of this signal plus 128.

If su has to kill the command (because it was asked to terminate, and the command did not terminate in time), su returns 255.

Some exit values from su are independent from the executed command:

0

success (--help only)

1

System or authentication failure

126

The requested command was not found

127

The requested command could not be executed

SEE ALSO

login(1), login.defs(5), sg(1), sh(1).

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

CAVEATS

CONFIGURATION

FILES

EXIT VALUES

SEE ALSO