1.\" Copyright (c) 1988, 1990, 1993, 1994 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)su.1 8.2 (Berkeley) 4/18/94 29.\" $FreeBSD: src/usr.bin/su/su.1,v 1.41 2008/07/01 20:56:23 danger Exp $ 30.\" 31.Dd July 1, 2008 32.Dt SU 1 33.Os 34.Sh NAME 35.Nm su 36.Nd substitute user identity 37.Sh SYNOPSIS 38.Nm 39.Op Fl 40.Op Fl flm 41.Op Fl c Ar class 42.Op Ar login Op Ar args 43.Sh DESCRIPTION 44The 45.Nm 46utility requests appropriate user credentials via PAM 47and switches to that user ID 48(the default user is the superuser). 49A shell is then executed. 50.Pp 51PAM is used to set the policy 52.Nm 53will use. 54In particular, by default only users in the 55.Dq Li wheel 56group can switch to UID 0 57.Pq Dq Li root . 58This group requirement may be changed by modifying the 59.Dq Li pam_group 60section of 61.Pa /etc/pam.d/su . 62See 63.Xr pam_group 8 64for details on how to modify this setting. 65.Pp 66By default, the environment is unmodified with the exception of 67.Ev USER , 68.Ev HOME , 69and 70.Ev SHELL . 71.Ev HOME 72and 73.Ev SHELL 74are set to the target login's default values. 75.Ev USER 76is set to the target login, unless the target login has a user ID of 0, 77in which case it is unmodified. 78The invoked shell is the one belonging to the target login. 79This is the traditional behavior of 80.Nm . 81Resource limits and session priority applicable to the original user's 82login class (see 83.Xr login.conf 5 ) 84are also normally retained unless the target login has a user ID of 0. 85.Pp 86The options are as follows: 87.Bl -tag -width Ds 88.It Fl f 89If the invoked shell is 90.Xr csh 1 , 91this option prevents it from reading the 92.Dq Pa .cshrc 93file. 94.It Fl l 95Simulate a full login. 96The environment is discarded except for 97.Ev HOME , 98.Ev SHELL , 99.Ev PATH , 100.Ev TERM , 101and 102.Ev USER . 103.Ev HOME 104and 105.Ev SHELL 106are modified as above. 107.Ev USER 108is set to the target login. 109.Ev PATH 110is set to 111.Dq Pa /bin:/usr/bin . 112.Ev TERM 113is imported from your current environment. 114Environment variables may be set or overridden from the login class 115capabilities database according to the class of the target login. 116The invoked shell is the target login's, and 117.Nm 118will change directory to the target login's home directory. 119Resource limits and session priority are modified to that for the 120target account's login class. 121.It Fl 122(no letter) The same as 123.Fl l . 124.It Fl m 125Leave the environment unmodified. 126The invoked shell is your login shell, and no directory changes are made. 127As a security precaution, if the target user's shell is a non-standard 128shell (as defined by 129.Xr getusershell 3 ) 130and the caller's real uid is 131non-zero, 132.Nm 133will fail. 134.It Fl c Ar class 135Use the settings of the specified login class. 136Only allowed for the super-user. 137.El 138.Pp 139The 140.Fl l 141(or 142.Fl ) 143and 144.Fl m 145options are mutually exclusive; the last one specified 146overrides any previous ones. 147.Pp 148If the optional 149.Ar args 150are provided on the command line, they are passed to the login shell of 151the target login. 152Note that all command line arguments before the target login name are 153processed by 154.Nm 155itself, everything after the target login name gets passed to the login 156shell. 157.Pp 158By default (unless the prompt is reset by a startup file) the super-user 159prompt is set to 160.Dq Sy \&# 161to remind one of its awesome power. 162.Sh ENVIRONMENT 163Environment variables used by 164.Nm : 165.Bl -tag -width HOME 166.It Ev HOME 167Default home directory of real user ID unless modified as 168specified above. 169.It Ev PATH 170Default search path of real user ID unless modified as specified above. 171.It Ev TERM 172Provides terminal type which may be retained for the substituted 173user ID. 174.It Ev USER 175The user ID is always the effective ID (the target user ID) after an 176.Nm 177unless the user ID is 0 (root). 178.El 179.Sh FILES 180.Bl -tag -width ".Pa /etc/pam.d/su" -compact 181.It Pa /etc/pam.d/su 182PAM configuration for 183.Nm . 184.El 185.Sh EXAMPLES 186.Bl -tag -width 5n -compact 187.It Li "su -m man -c catman" 188Runs the command 189.Li catman 190as user 191.Li man . 192You will be asked for man's password unless your real UID is 0. 193Note that the 194.Fl m 195option is required since user 196.Dq man 197does not have a valid shell by default. 198.It Li "su -m man -c 'catman /usr/share/man /usr/local/man /usr/pkg/man'" 199Same as above, but the target command consists of more than a 200single word and hence is quoted for use with the 201.Fl c 202option being passed to the shell. 203(Most shells expect the argument to 204.Fl c 205to be a single word). 206.It Li "su -m -c staff man -c 'catman /usr/share/man /usr/local/man /usr/pkg/man'" 207Same as above, but the target command is run with the resource limits of 208the login class 209.Dq staff . 210Note: in this example, the first 211.Fl c 212option applies to 213.Nm 214while the second is an argument to the shell being invoked. 215.It Li "su -l foo" 216Simulate a login for user foo. 217.It Li "su - foo" 218Same as above. 219.It Li "su -" 220Simulate a login for root. 221.El 222.Sh SEE ALSO 223.Xr csh 1 , 224.Xr sh 1 , 225.Xr group 5 , 226.Xr login.conf 5 , 227.Xr passwd 5 , 228.Xr environ 7 , 229.Xr pam_group 8 230.Sh HISTORY 231A 232.Nm 233command appeared in 234.At v1 . 235