Changes the user ID associated with a session.
su [ - ] [ Name [ Argument ... ] ]
The su command changes user credentials to those of the root user or to the user specified by the Name parameter, and then initiates a new session. The user name may include a DCE cell specification.
Any arguments, such as flags or parameters, that are specified by the Arguments parameter must relate to the login shell defined for the user specified by the Name parameter. These arguments are passed to the specified user's login shell. For example, if the login shell for user Fred is /usr/bin/csh, you can include any of the flags for the csh command, such as the -f flag. When the su command runs, it passes the -f flag to the csh command. When the csh command runs, the -f flag omits the .cshrc startup script.
The following functions are performed by the su command:
These functions are performed in the sequence shown. If one function is unsuccessful, the succeeding functions are not done. Refer to the ckuseracct, ckuserID, authenticate, setpcred, and setpenv subroutines for the semantics of these functions.
To restore the previous session, type exit or press the Ctrl-D key sequence. This action ends the shell called by the su command and returns you to the previous shell, user ID, and environment.
If the su command is run from the /usr/bin/tsh shell, the trusted shell, you exit from that shell. The su command does not change the security characteristics of the controlling terminal.
Each time the su command is executed, an entry is made in the /var/adm/sulog file. The /var/adm/sulog file records the following information: date, time, system name, and login name. The /var/adm/sulog file also records whether or not the login attempt was successful: a + (plus sign) indicates a successful login, and a - (minus sign) indicates an unsuccessful login.
- | Specifies that the process environment is to be set as if the user had logged in to the system using the login command. Nothing in the current environment is propagated to the new shell. |
Access Control: All users should have execute (x) access to this command. The command should be setuid to the root user to access authentication information, and have the trusted computing base attribute.
Files Accessed:
Mode | File |
---|---|
r | /etc/passwd |
r | /etc/group |
r | /etc/environment |
r | /etc/security/user |
r | /etc/security/passwd |
r | /etc/security/limits |
r | /etc/security/environ |
w | /var/adm/sulog |
Auditing Events:
Event | Information |
---|---|
USER_Su | user name |
su
This command runs a subshell with the effective user ID and privileges of the root user. You will be asked for the root password. Press End-of-File, Ctrl+D key sequence, to end the subshell and return to your original shell session and privileges.
su jim
This command runs a subshell with the effective user ID and privileges of jim.
su root "-c /usr/sbin/backup -9 -u"
This runs the backup command with root user authority within root's default shell. You must give the correct root password when queried for the command to execute.
/usr/bin/su | Contains the su command. |
/etc/environment | Contains user environment values. |
/etc/group | Contains the basic group attributes. |
/etc/passwd | Contains the basic user attributes. |
/etc/security/user | Contains the extended attributes of users. |
/etc/security/environ | Contains the environment attributes of users. |
/etc/security/limits | Contains the process resource limits of users. |
/etc/security/passwd | Contains password information. |
/var/adm/sulog | Contains information about login attempts. |
The bsh command, csh command, getty command, ksh command, login command, setgroups command, setsenv command, tsh command, and tsm command.
The authenticate subroutine, ckuseracct subroutine, ckuserID subroutine, setpcred subroutine, setpenv subroutine.
For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.2 Security Guide.