1.\" Copyright (c) 1988, 1990, 1993, 1994 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)su.1 8.2 (Berkeley) 4/18/94 29.\" $FreeBSD$ 30.\" 31.Dd March 26, 2020 32.Dt SU 1 33.Os 34.Sh NAME 35.Nm su 36.Nd substitute user identity 37.Sh SYNOPSIS 38.Nm 39.Op Fl 40.Op Fl c Ar class 41.Op Fl flms 42.Op Ar login Op Ar args 43.Sh DESCRIPTION 44The 45.Nm 46utility requests appropriate user credentials via PAM 47and switches to that user ID 48(the default user is the superuser). 49A shell is then executed. 50.Pp 51PAM is used to set the policy 52.Xr su 1 53will use. 54In particular, by default only users in the 55.Dq Li wheel 56group can switch to UID 0 57.Pq Dq Li root . 58This group requirement may be changed by modifying the 59.Dq Li pam_group 60section of 61.Pa /etc/pam.d/su . 62See 63.Xr pam_group 8 64for details on how to modify this setting. 65.Pp 66By default, the environment is unmodified with the exception of 67.Ev USER , 68.Ev HOME , 69and 70.Ev SHELL . 71.Ev HOME 72and 73.Ev SHELL 74are set to the target login's default values. 75.Ev USER 76is set to the target login, unless the target login has a user ID of 0, 77in which case it is unmodified. 78The invoked shell is the one belonging to the target login. 79This is the traditional behavior of 80.Nm . 81Resource limits and session priority applicable to the original user's 82login class (see 83.Xr login.conf 5 ) 84are also normally retained unless the target login has a user ID of 0. 85.Pp 86The options are as follows: 87.Bl -tag -width Ds 88.It Fl c Ar class 89Use the settings of the specified login class. 90The login class must be defined in 91.Xr login.conf 5 . 92Only allowed for the super-user. 93.It Fl f 94If the invoked shell is 95.Xr csh 1 , 96this option prevents it from reading the 97.Dq Pa .cshrc 98file. 99.It Fl l 100Simulate a full login. 101The environment is discarded except for 102.Ev HOME , 103.Ev SHELL , 104.Ev PATH , 105.Ev TERM , 106and 107.Ev USER . 108.Ev HOME 109and 110.Ev SHELL 111are modified as above. 112.Ev USER 113is set to the target login. 114.Ev PATH 115is set to 116.Dq Pa /bin:/usr/bin . 117.Ev TERM 118is imported from your current environment. 119Environment variables may be set or overridden from the login class 120capabilities database according to the class of the target login. 121The invoked shell is the target login's, and 122.Nm 123will change directory to the target login's home directory. 124Resource limits and session priority are modified to that for the 125target account's login class. 126.It Fl 127(no letter) The same as 128.Fl l . 129.It Fl m 130Leave the environment unmodified. 131The invoked shell is your login shell, and no directory changes are made. 132As a security precaution, if the target user's shell is a non-standard 133shell (as defined by 134.Xr getusershell 3 ) 135and the caller's real uid is 136non-zero, 137.Nm 138will fail. 139.It Fl s 140Set the MAC label to the user's default label as part of the user 141credential setup. 142Setting the MAC label may fail if the MAC label of the invoking process 143is not sufficient to transition to the user's default MAC label. 144If the label cannot be set, 145.Nm 146will fail. 147.El 148.Pp 149The 150.Fl l 151(or 152.Fl ) 153and 154.Fl m 155options are mutually exclusive; the last one specified 156overrides any previous ones. 157.Pp 158If the optional 159.Ar args 160are provided on the command line, they are passed to the login shell of 161the target login. 162Note that all command line arguments before the target login name are 163processed by 164.Nm 165itself, everything after the target login name gets passed to the login 166shell. 167.Pp 168By default (unless the prompt is reset by a startup file) the super-user 169prompt is set to 170.Dq Sy \&# 171to remind one of its awesome power. 172.Sh ENVIRONMENT 173Environment variables used by 174.Nm : 175.Bl -tag -width HOME 176.It Ev HOME 177Default home directory of real user ID unless modified as 178specified above. 179.It Ev PATH 180Default search path of real user ID unless modified as specified above. 181.It Ev TERM 182Provides terminal type which may be retained for the substituted 183user ID. 184.It Ev USER 185The user ID is always the effective ID (the target user ID) after an 186.Nm 187unless the user ID is 0 (root). 188.El 189.Sh FILES 190.Bl -tag -width "/etc/pam.d/su" -compact 191.It Pa /etc/pam.d/su 192PAM configuration for 193.Nm . 194.El 195.Sh EXAMPLES 196.Bl -tag -width 5n -compact 197.It Li "su -m operator -c poweroff" 198Starts a shell as user 199.Li operator , 200and runs the command 201.Li poweroff . 202You will be asked for operator's password unless your real UID is 0. 203Note that the 204.Fl m 205option is required since user 206.Dq operator 207does not have a valid shell by default. 208In this example, 209.Fl c 210is passed to the shell of the user 211.Dq operator , 212and is not interpreted as an argument to 213.Nm . 214.It Li "su -m operator -c 'shutdown -p now'" 215Same as above, but the target command consists of more than a 216single word and hence is quoted for use with the 217.Fl c 218option being passed to the shell. 219(Most shells expect the argument to 220.Fl c 221to be a single word). 222.It Li "su -m -c staff operator -c 'shutdown -p now'" 223Same as above, but the target command is run with the resource limits of 224the login class 225.Dq staff . 226Note: in this example, the first 227.Fl c 228option applies to 229.Nm 230while the second is an argument to the shell being invoked. 231.It Li "su -l foo" 232Simulate a login for user foo. 233.It Li "su - foo" 234Same as above. 235.It Li "su -" 236Simulate a login for root. 237.El 238.Sh SEE ALSO 239.Xr csh 1 , 240.Xr sh 1 , 241.Xr group 5 , 242.Xr login.conf 5 , 243.Xr passwd 5 , 244.Xr environ 7 , 245.Xr pam_group 8 246.Sh HISTORY 247A 248.Nm 249command appeared in 250.At v1 . 251