[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 5

su Command


Changes the user ID associated with a session.


su [ - ] [ Name [ Argument ... ] ]


The su command changes user credentials to those of the root user or to the user specified by the Name parameter, and then initiates a new session. The user name may include a DCE cell specification.

The root user is not required to satisfy the Distributed Computing Environment (DCE) authentication when switching to a DCE user. In this case, the user's DCE credentials are not gained.

Any arguments, such as flags or parameters, that are specified by the Arguments parameter must relate to the login shell defined for the user specified by the Name parameter. These arguments are passed to the specified user's login shell. For example, if the login shell for user Fred is /usr/bin/csh, you can include any of the flags for the csh command, such as the -f flag. When the su command runs, it passes the -f flag to the csh command. When the csh command runs, the -f flag omits the .cshrc startup script.

The following functions are performed by the su command:

account checking Validates the user account to be certain it exists, that it is enabled for the su command, that the current user is in a group permitted to switch to this account with the su command, and that it can be used from the current controlling terminal.
user authentication Validates the user's identity, using the system-defined primary authentication methods for the user. If a password has expired, the user must supply a new password.
credentials establishment Establishes initial user credentials, using the values in the user database. These credentials define the user's access rights and accountability on the system.
session initiation If the - flag is specified, the su command initializes the user environment from the values in the user database and the /etc/environment file. When the - flag is not used, the su command does not change the directory.

These functions are performed in the sequence shown. If one function is unsuccessful, the succeeding functions are not done. Refer to the ckuseracct, ckuserID, authenticate, setpcred, and setpenv subroutines for the semantics of these functions.

To restore the previous session, type exit or press the Ctrl-D key sequence. This action ends the shell called by the su command and returns you to the previous shell, user ID, and environment.

If the su command is run from the /usr/bin/tsh shell, the trusted shell, you exit from that shell. The su command does not change the security characteristics of the controlling terminal.

Each time the su command is executed, an entry is made in the /var/adm/sulog file. The /var/adm/sulog file records the following information: date, time, system name, and login name. The /var/adm/sulog file also records whether or not the login attempt was successful: a + (plus sign) indicates a successful login, and a - (minus sign) indicates an unsuccessful login.


- Specifies that the process environment is to be set as if the user had logged in to the system using the login command. Nothing in the current environment is propagated to the new shell.


Access Control: All users should have execute (x) access to this command. The command should be setuid to the root user to access authentication information, and have the trusted computing base attribute.

Files Accessed:

Mode File
r /etc/passwd
r /etc/group
r /etc/environment
r /etc/security/user
r /etc/security/passwd
r /etc/security/limits
r /etc/security/environ
w /var/adm/sulog

Auditing Events:

Event Information
USER_Su user name


  1. To obtain root user authority, type:


    This command runs a subshell with the effective user ID and privileges of the root user. You will be asked for the root password. Press End-of-File, Ctrl+D key sequence, to end the subshell and return to your original shell session and privileges.

  2. To obtain the privileges of the jim user, type:

    su jim

    This command runs a subshell with the effective user ID and privileges of jim.

  3. To set up the environment as if you had logged in as the jim user, type:
    su - jim
    This starts a subshell using jim's login environment.
  4. To run the backup command with root user authority and then return to your original shell, type:

    su root "-c /usr/sbin/backup -9 -u"

    This runs the backup command with root user authority within root's default shell. You must give the correct root password when queried for the command to execute.


/usr/bin/su Contains the su command.
/etc/environment Contains user environment values.
/etc/group Contains the basic group attributes.
/etc/passwd Contains the basic user attributes.
/etc/security/user Contains the extended attributes of users.
/etc/security/environ Contains the environment attributes of users.
/etc/security/limits Contains the process resource limits of users.
/etc/security/passwd Contains password information.
/var/adm/sulog Contains information about login attempts.

Related Information

The bsh command, csh command, getty command, ksh command, login command, setgroups command, setsenv command, tsh command, and tsm command.

The authenticate subroutine, ckuseracct subroutine, ckuserID subroutine, setpcred subroutine, setpenv subroutine.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.2 Security Guide.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]