~serge-hallyn/ubuntu/raring/shadow/shadow-userns

Additional arguments may be provided after the username, in which case they are supplied to the user\*(Aqs login shell\&. In particular, an argument of

\fB\-c\fR

will cause the next argument to be treated as a command by most command interpreters\&. The command will be executed by the shell specified in

/etc/passwd

for the target user\&.

.PP

You can use the

\fB\-\-\fR

argument to separate

\fBsu\fR

options from the arguments supplied to the shell\&.

.PP

The user will be prompted for a password, if appropriate\&. Invalid passwords will produce an error message\&. All attempts, both valid and invalid, are logged to detect abuse of the system\&.

.PP

The current environment is passed to the new shell\&. The value of

\fB$PATH\fR

is reset to

/bin:/usr/bin

for normal users, or

/sbin:/bin:/usr/sbin:/usr/bin

for the superuser\&. This may be changed with the

\fBENV_PATH\fR

and

\fBENV_SUPATH\fR

definitions in

/etc/login\&.defs\&.

.PP

A subsystem login is indicated by the presence of a "*" as the first character of the login shell\&. The given home directory will be used as the root of a new file system which the user is actually logged into\&.

.SH "OPTIONS"

.PP

The options which apply to the

\fBsu\fR

command are:

.PP

\fB\-c\fR, \fB\-\-command\fR \fICOMMAND\fR

.RS 4

Specify a command that will be invoked by the shell using its

\fB\-c\fR\&.

.sp

The executed command will have no controlling terminal\&. This option cannot be used to execute interractive programs which need a controlling TTY\&.

.RE

.PP

\fB\-\fR, \fB\-l\fR, \fB\-\-login\fR

.RS 4

Provide an environment similar to what the user would expect had the user logged in directly\&.

.sp

When

\fB\-\fR

is used, it must be specified as the last

\fBsu\fR

option\&. The other forms (\fB\-l\fR

and

\fB\-\-login\fR) do not have this restriction\&.

.RE

100

.PP

101

\fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR

102

.RS 4

103

The shell that will be invoked\&.

104

.sp

105

The invoked shell is chosen from (highest priority first):

106

.PP

107

.RS 4

108

The shell specified with \-\-shell\&.

109

.RE

110

.PP

111

.RS 4

112

113

\fB\-\-preserve\-environment\fR

114

is used, the shell specified by the

115

\fB$SHELL\fR

116

environment variable\&.

117

.RE

118

.PP

119

.RS 4

120

The shell indicated in the

121

/etc/passwd

122

entry for the target user\&.

123

.RE

124

.PP

125

.RS 4

126

/bin/sh

127

if a shell could not be found by any above method\&.

128

.RE

129

.sp

130

If the target user has a restricted shell (i\&.e\&. the shell field of this user\*(Aqs entry in

131

/etc/passwd

132

is not listed in

133

/etc/shells), then the

134

\fB\-\-shell\fR

135

option or the

136

\fB$SHELL\fR

137

environment variable won\*(Aqt be taken into account, unless

138

\fBsu\fR

139

is called by root\&.

140

.RE

141

.PP

142

\fB\-m\fR, \fB\-p\fR, \fB\-\-preserve\-environment\fR

143

.RS 4

144

Preserve the current environment, except for:

145

.PP

146

\fB$PATH\fR

147

.RS 4

148

reset according to the

149

/etc/login\&.defs

150

options

151

\fBENV_PATH\fR

152

153

\fBENV_SUPATH\fR

154

(see below);

155

.RE

156

.PP

157

\fB$IFS\fR

158

.RS 4

159

reset to

160

\(lq<space><tab><newline>\(rq, if it was set\&.

161

.RE

162

.sp

163

If the target user has a restricted shell, this option has no effect (unless

164

\fBsu\fR

165

is called by root)\&.

166

.sp

167

Note that the default behavior for the environment is the following:

168

.PP

169

.RS 4

170

The

171

\fB$HOME\fR,

172

\fB$SHELL\fR,

173

\fB$USER\fR,

174

\fB$LOGNAME\fR,

175

\fB$PATH\fR, and

176

\fB$IFS\fR

177

environment variables are reset\&.

178

.RE

179

.PP

180

.RS 4

181

182

\fB\-\-login\fR

183

is not used, the environment is copied, except for the variables above\&.

184

.RE

185

.PP

186

.RS 4

187

188

\fB\-\-login\fR

189

is used, the

190

\fB$TERM\fR,

191

\fB$COLORTERM\fR,

192

\fB$DISPLAY\fR, and

193

\fB$XAUTHORITY\fR

194

environment variables are copied if they were set\&.

195

.RE

196

.PP

197

.RS 4

198

199

\fB\-\-login\fR

200

is used, the

201

\fB$TZ\fR,

202

\fB$HZ\fR, and

203

\fB$MAIL\fR

204

environment variables are set according to the

205

/etc/login\&.defs

206

options

207

\fBENV_TZ\fR,

208

\fBENV_HZ\fR,

209

\fBMAIL_DIR\fR, and

210

\fBMAIL_FILE\fR

211

(see below)\&.

212

.RE

213

.PP

214

.RS 4

215

216

\fB\-\-login\fR

217

is used, other environment variables might be set by the

218

\fBENVIRON_FILE\fR

219

file (see below)\&.

220

.RE

221

.sp

222

.RE

223

.SH "CAVEATS"

224

.PP

225

This version of

226

\fBsu\fR

227

has many compilation options, only some of which may be in use at any particular site\&.

228

.SH "CONFIGURATION"

229

.PP

230

The following configuration variables in

231

/etc/login\&.defs

232

change the behavior of this tool:

233

.PP

234

\fBCONSOLE\fR (string)

235

.RS 4

236

If defined, either full pathname of a file containing device names (one per line) or a ":" delimited list of device names\&. Root logins will be allowed only upon these devices\&.

237

.sp

238

If not defined, root will be allowed on any device\&.

239

.sp

240

The device should be specified without the /dev/ prefix\&.

241

.RE

242

.PP

243

\fBCONSOLE_GROUPS\fR (string)

244

.RS 4

245

List of groups to add to the user\*(Aqs supplementary groups set when logging in on the console (as determined by the CONSOLE setting)\&. Default is none\&.

246

247

Use with caution \- it is possible for users to gain permanent access to these groups, even when not logged in on the console\&.

248

.RE

249

.PP

250

\fBDEFAULT_HOME\fR (boolean)

251

.RS 4

252

Indicate if login is allowed if we can\*(Aqt cd to the home directory\&. Default is no\&.

253

.sp

254

If set to

255

\fIyes\fR, the user will login in the root (/) directory if it is not possible to cd to her home directory\&.

256

.RE

257

.PP

258

\fBENV_HZ\fR (string)

259

.RS 4

260

If set, it will be used to define the HZ environment variable when a user login\&. The value must be preceded by

261

\fIHZ=\fR\&. A common value on Linux is

262

\fIHZ=100\fR\&.

263

.RE

264

.PP

265

\fBENVIRON_FILE\fR (string)

266

.RS 4

267

If this file exists and is readable, login environment will be read from it\&. Every line should be in the form name=value\&.

268

.sp

269

Lines starting with a # are treated as comment lines and ignored\&.

270

.RE

271

.PP

272

\fBENV_PATH\fR (string)

273

.RS 4

274

If set, it will be used to define the PATH environment variable when a regular user login\&. The value is a colon separated list of paths (for example

275

\fI/bin:/usr/bin\fR) and can be preceded by

276

\fIPATH=\fR\&. The default value is

277

\fIPATH=/bin:/usr/bin\fR\&.

278

.RE

279

.PP

280

\fBENV_SUPATH\fR (string)

281

.RS 4

282

If set, it will be used to define the PATH environment variable when the superuser login\&. The value is a colon separated list of paths (for example

283

\fI/sbin:/bin:/usr/sbin:/usr/bin\fR) and can be preceded by

284

\fIPATH=\fR\&. The default value is

285

\fIPATH=/sbin:/bin:/usr/sbin:/usr/bin\fR\&.

286

.RE

287

.PP

288

\fBENV_TZ\fR (string)

289

.RS 4

290

If set, it will be used to define the TZ environment variable when a user login\&. The value can be the name of a timezone preceded by

291

\fITZ=\fR

292

(for example

293

\fITZ=CST6CDT\fR), or the full path to the file containing the timezone specification (for example

294

/etc/tzname)\&.

295

.sp

296

If a full path is specified but the file does not exist or cannot be read, the default is to use

297

\fITZ=CST6CDT\fR\&.

298

.RE

299

.PP

300

\fBLOGIN_STRING\fR (string)

301

.RS 4

302

The string used for prompting a password\&. The default is to use "Password: ", or a translation of that string\&. If you set this variable, the prompt will not be translated\&.

303

.sp

304

If the string contains

305

\fI%s\fR, this will be replaced by the user\*(Aqs name\&.

306

.RE

307

.PP

308

\fBMAIL_CHECK_ENAB\fR (boolean)

309

.RS 4

310

Enable checking and display of mailbox status upon login\&.

311

.sp

312

You should disable it if the shell startup files already check for mail ("mailx \-e" or equivalent)\&.

313

.RE

314

.PP

315

\fBMAIL_DIR\fR (string)

316

.RS 4

317

The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&.

318

.RE

319

.PP

320

\fBMAIL_FILE\fR (string)

321

.RS 4

322

Defines the location of the users mail spool files relatively to their home directory\&.

323

.RE

324

.PP

325

The

326

\fBMAIL_DIR\fR

327

and

328

\fBMAIL_FILE\fR

329

variables are used by

330

\fBuseradd\fR,

331

\fBusermod\fR, and

332

\fBuserdel\fR

333

to create, move, or delete the user\*(Aqs mail spool\&.

334

.PP

335

336

\fBMAIL_CHECK_ENAB\fR

337

is set to

338

\fIyes\fR, they are also used to define the

339

\fBMAIL\fR

340

environment variable\&.

341

.PP

342

\fBQUOTAS_ENAB\fR (boolean)

343

.RS 4

344

Enable setting of resource limits from

345

/etc/limits

346

and ulimit, umask, and niceness from the user\*(Aqs passwd gecos field\&.

347

.RE

348

.PP

349

\fBSULOG_FILE\fR (string)

350

.RS 4

351

If defined, all su activity is logged to this file\&.

352

.RE

353

.PP

354

\fBSU_NAME\fR (string)

355

.RS 4

356

If defined, the command name to display when running "su \-"\&. For example, if this is defined as "su" then a "ps" will display the command is "\-su"\&. If not defined, then "ps" would display the name of the shell actually being run, e\&.g\&. something like "\-sh"\&.

357

.RE

358

.PP

359

\fBSU_WHEEL_ONLY\fR (boolean)

360

.RS 4

361

362

\fIyes\fR, the user must be listed as a member of the first gid 0 group in

363

/etc/group

364

(called

365

\fIroot\fR

366

on most Linux systems) to be able to

367

\fBsu\fR

368

to uid 0 accounts\&. If the group doesn\*(Aqt exist or is empty, no one will be able to

369

\fBsu\fR

370

to uid 0\&.

371

.RE

372

.PP

373

\fBSYSLOG_SU_ENAB\fR (boolean)

374

.RS 4

375

Enable "syslog" logging of

376

\fBsu\fR

377

activity \- in addition to sulog file logging\&.

378

.RE

379

.PP

380

\fBUSERGROUPS_ENAB\fR (boolean)

381

.RS 4

382

Enable setting of the umask group bits to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007) for non\-root users, if the uid is the same as gid, and username is the same as the primary group name\&.

383

.sp

384

If set to

385

\fIyes\fR,

386

\fBuserdel\fR

387

will remove the user\*(Aqs group if it contains no more members, and

388

\fBuseradd\fR

389

will create by default a group with the name of the user\&.

390

.RE

391

.SH "FILES"

392

.PP

393

/etc/passwd

394

.RS 4

395

User account information\&.

396

.RE

397

.PP

398

/etc/shadow

399

.RS 4

400

Secure user account information\&.

401

.RE

402

.PP

403

/etc/login\&.defs

404

.RS 4

405

Shadow password suite configuration\&.

406

.RE

407

.SH "EXIT VALUES"

408

.PP

409

On success,

410

\fBsu\fR

411

returns the exit value of the command it executed\&.

412

.PP

413

If this command was terminated by a signal,

414

\fBsu\fR

415

returns the number of this signal plus 128\&.

416

.PP

417

If su has to kill the command (because it was asked to terminate, and the command did not terminate in time),

418

\fBsu\fR

419

returns 255\&.

420

.PP

421

Some exit values from

422

\fBsu\fR

423

are independent from the executed command:

424

.PP

425

\fI0\fR

426

.RS 4

427

success (\fB\-\-help\fR

428

only)

429

.RE

430

.PP

431

\fI1\fR

432

.RS 4

433

System or authentication failure

434

.RE

435

.PP

436

\fI126\fR

437

.RS 4

438

The requested command was not found

439

.RE

440

.PP

441

\fI127\fR

442

.RS 4

443

The requested command could not be executed

444

.RE

445

.SH "SEE ALSO"

446

.PP

447

\fBlogin\fR(1),

448

\fBlogin.defs\fR(5),

449

\fBsg\fR(1),

450

\fBsh\fR(1)\&.

Older »