3
.\" Author: Julianne Frances Haugh
4
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
6
.\" Manual: User Commands
7
.\" Source: shadow-utils 4.1.5.1
10
.TH "SU" "1" "05/25/2012" "shadow\-utils 4\&.1\&.5\&.1" "User Commands"
11
.\" -----------------------------------------------------------------
12
.\" * Define some portability stuff
13
.\" -----------------------------------------------------------------
14
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
15
.\" http://bugs.debian.org/507673
16
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
17
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
20
.\" -----------------------------------------------------------------
21
.\" * set default formatting
22
.\" -----------------------------------------------------------------
23
.\" disable hyphenation
25
.\" disable justification (adjust text to left margin only)
27
.\" -----------------------------------------------------------------
28
.\" * MAIN CONTENT STARTS HERE *
29
.\" -----------------------------------------------------------------
31
su \- change user ID or become superuser
34
\fBsu\fR [\fIoptions\fR] [\fIusername\fR]
39
command is used to become another user during a login session\&. Invoked without a
42
defaults to becoming the superuser\&. The optional argument
44
may be used to provide an environment similar to what the user would expect had the user logged in directly\&.
46
Additional arguments may be provided after the username, in which case they are supplied to the user\*(Aqs login shell\&. In particular, an argument of
48
will cause the next argument to be treated as a command by most command interpreters\&. The command will be executed by the shell specified in
50
for the target user\&.
56
options from the arguments supplied to the shell\&.
58
The user will be prompted for a password, if appropriate\&. Invalid passwords will produce an error message\&. All attempts, both valid and invalid, are logged to detect abuse of the system\&.
60
The current environment is passed to the new shell\&. The value of
65
/sbin:/bin:/usr/sbin:/usr/bin
66
for the superuser\&. This may be changed with the
73
A subsystem login is indicated by the presence of a "*" as the first character of the login shell\&. The given home directory will be used as the root of a new file system which the user is actually logged into\&.
76
The options which apply to the
80
\fB\-c\fR, \fB\-\-command\fR \fICOMMAND\fR
82
Specify a command that will be invoked by the shell using its
85
The executed command will have no controlling terminal\&. This option cannot be used to execute interractive programs which need a controlling TTY\&.
88
\fB\-\fR, \fB\-l\fR, \fB\-\-login\fR
90
Provide an environment similar to what the user would expect had the user logged in directly\&.
94
is used, it must be specified as the last
96
option\&. The other forms (\fB\-l\fR
98
\fB\-\-login\fR) do not have this restriction\&.
101
\fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR
103
The shell that will be invoked\&.
105
The invoked shell is chosen from (highest priority first):
108
The shell specified with \-\-shell\&.
113
\fB\-\-preserve\-environment\fR
114
is used, the shell specified by the
116
environment variable\&.
120
The shell indicated in the
122
entry for the target user\&.
127
if a shell could not be found by any above method\&.
130
If the target user has a restricted shell (i\&.e\&. the shell field of this user\*(Aqs entry in
133
/etc/shells), then the
137
environment variable won\*(Aqt be taken into account, unless
142
\fB\-m\fR, \fB\-p\fR, \fB\-\-preserve\-environment\fR
144
Preserve the current environment, except for:
148
reset according to the
160
\(lq<space><tab><newline>\(rq, if it was set\&.
163
If the target user has a restricted shell, this option has no effect (unless
165
is called by root)\&.
167
Note that the default behavior for the environment is the following:
177
environment variables are reset\&.
183
is not used, the environment is copied, except for the variables above\&.
194
environment variables are copied if they were set\&.
204
environment variables are set according to the
217
is used, other environment variables might be set by the
227
has many compilation options, only some of which may be in use at any particular site\&.
230
The following configuration variables in
232
change the behavior of this tool:
234
\fBCONSOLE\fR (string)
236
If defined, either full pathname of a file containing device names (one per line) or a ":" delimited list of device names\&. Root logins will be allowed only upon these devices\&.
238
If not defined, root will be allowed on any device\&.
240
The device should be specified without the /dev/ prefix\&.
243
\fBCONSOLE_GROUPS\fR (string)
245
List of groups to add to the user\*(Aqs supplementary groups set when logging in on the console (as determined by the CONSOLE setting)\&. Default is none\&.
247
Use with caution \- it is possible for users to gain permanent access to these groups, even when not logged in on the console\&.
250
\fBDEFAULT_HOME\fR (boolean)
252
Indicate if login is allowed if we can\*(Aqt cd to the home directory\&. Default is no\&.
255
\fIyes\fR, the user will login in the root (/) directory if it is not possible to cd to her home directory\&.
258
\fBENV_HZ\fR (string)
260
If set, it will be used to define the HZ environment variable when a user login\&. The value must be preceded by
261
\fIHZ=\fR\&. A common value on Linux is
265
\fBENVIRON_FILE\fR (string)
267
If this file exists and is readable, login environment will be read from it\&. Every line should be in the form name=value\&.
269
Lines starting with a # are treated as comment lines and ignored\&.
272
\fBENV_PATH\fR (string)
274
If set, it will be used to define the PATH environment variable when a regular user login\&. The value is a colon separated list of paths (for example
275
\fI/bin:/usr/bin\fR) and can be preceded by
276
\fIPATH=\fR\&. The default value is
277
\fIPATH=/bin:/usr/bin\fR\&.
280
\fBENV_SUPATH\fR (string)
282
If set, it will be used to define the PATH environment variable when the superuser login\&. The value is a colon separated list of paths (for example
283
\fI/sbin:/bin:/usr/sbin:/usr/bin\fR) and can be preceded by
284
\fIPATH=\fR\&. The default value is
285
\fIPATH=/sbin:/bin:/usr/sbin:/usr/bin\fR\&.
288
\fBENV_TZ\fR (string)
290
If set, it will be used to define the TZ environment variable when a user login\&. The value can be the name of a timezone preceded by
293
\fITZ=CST6CDT\fR), or the full path to the file containing the timezone specification (for example
296
If a full path is specified but the file does not exist or cannot be read, the default is to use
300
\fBLOGIN_STRING\fR (string)
302
The string used for prompting a password\&. The default is to use "Password: ", or a translation of that string\&. If you set this variable, the prompt will not be translated\&.
304
If the string contains
305
\fI%s\fR, this will be replaced by the user\*(Aqs name\&.
308
\fBMAIL_CHECK_ENAB\fR (boolean)
310
Enable checking and display of mailbox status upon login\&.
312
You should disable it if the shell startup files already check for mail ("mailx \-e" or equivalent)\&.
315
\fBMAIL_DIR\fR (string)
317
The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&.
320
\fBMAIL_FILE\fR (string)
322
Defines the location of the users mail spool files relatively to their home directory\&.
329
variables are used by
333
to create, move, or delete the user\*(Aqs mail spool\&.
336
\fBMAIL_CHECK_ENAB\fR
338
\fIyes\fR, they are also used to define the
340
environment variable\&.
342
\fBQUOTAS_ENAB\fR (boolean)
344
Enable setting of resource limits from
346
and ulimit, umask, and niceness from the user\*(Aqs passwd gecos field\&.
349
\fBSULOG_FILE\fR (string)
351
If defined, all su activity is logged to this file\&.
354
\fBSU_NAME\fR (string)
356
If defined, the command name to display when running "su \-"\&. For example, if this is defined as "su" then a "ps" will display the command is "\-su"\&. If not defined, then "ps" would display the name of the shell actually being run, e\&.g\&. something like "\-sh"\&.
359
\fBSU_WHEEL_ONLY\fR (boolean)
362
\fIyes\fR, the user must be listed as a member of the first gid 0 group in
366
on most Linux systems) to be able to
368
to uid 0 accounts\&. If the group doesn\*(Aqt exist or is empty, no one will be able to
373
\fBSYSLOG_SU_ENAB\fR (boolean)
375
Enable "syslog" logging of
377
activity \- in addition to sulog file logging\&.
380
\fBUSERGROUPS_ENAB\fR (boolean)
382
Enable setting of the umask group bits to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007) for non\-root users, if the uid is the same as gid, and username is the same as the primary group name\&.
387
will remove the user\*(Aqs group if it contains no more members, and
389
will create by default a group with the name of the user\&.
395
User account information\&.
400
Secure user account information\&.
405
Shadow password suite configuration\&.
411
returns the exit value of the command it executed\&.
413
If this command was terminated by a signal,
415
returns the number of this signal plus 128\&.
417
If su has to kill the command (because it was asked to terminate, and the command did not terminate in time),
421
Some exit values from
423
are independent from the executed command:
427
success (\fB\-\-help\fR
433
System or authentication failure
438
The requested command was not found
443
The requested command could not be executed