Manual Reference Pages - SU (1)
- substitute user identity
utility requests appropriate user credentials via PAM
and switches to that user ID
(the default user is the superuser).
A shell is then executed.
PAM is used to set the policy
In particular, by default only users in the
group can switch to UID 0
This group requirement may be changed by modifying the
for details on how to modify this setting.
By default, the environment is unmodified with the exception of
are set to the target logins default values.
is set to the target login, unless the target login has a user ID of 0,
in which case it is unmodified.
The invoked shell is the one belonging to the target login.
This is the traditional behavior of
Resource limits and session priority applicable to the original users
login class (see
are also normally retained unless the target login has a user ID of 0.
The options are as follows:
Use the settings of the specified login class.
The login class must be defined in
Only allowed for the super-user.
If the invoked shell is
this option prevents it from reading the
Simulate a full login.
The environment is discarded except for
are modified as above.
is set to the target login.
is set to
is imported from your current environment.
Environment variables may be set or overridden from the login class
capabilities database according to the class of the target login.
The invoked shell is the target logins, and
will change directory to the target logins home directory.
Resource limits and session priority are modified to that for the
target accounts login class.
(no letter) The same as
Leave the environment unmodified.
The invoked shell is your login shell, and no directory changes are made.
As a security precaution, if the target users shell is a non-standard
shell (as defined by
and the callers real uid is
Set the MAC label to the users default label as part of the user
Setting the MAC label may fail if the MAC label of the invoking process
is not sufficient to transition to the users default MAC label.
If the label cannot be set,
options are mutually exclusive; the last one specified
overrides any previous ones.
If the optional
are provided on the command line, they are passed to the login shell of
the target login.
Note that all command line arguments before the target login name are
itself, everything after the target login name gets passed to the login
By default (unless the prompt is reset by a startup file) the super-user
prompt is set to
to remind one of its awesome power.
Environment variables used by
Default home directory of real user ID unless modified as
Default search path of real user ID unless modified as specified above.
Provides terminal type which may be retained for the substituted
The user ID is always the effective ID (the target user ID) after an
unless the user ID is 0 (root).
PAM configuration for
| su -m man -c catman
Starts a shell as user
and runs the command
You will be asked for mans password unless your real UID is 0.
Note that the
option is required since user
does not have a valid shell by default.
In this example,
is passed to the shell of the user
and is not interpreted as an argument to
| su -m man -c catman /usr/share/man /usr/local/man
Same as above, but the target command consists of more than a
single word and hence is quoted for use with the
option being passed to the shell.
(Most shells expect the argument to
to be a single word).
| su -m -c staff man -c catman /usr/share/man /usr/local/man
Same as above, but the target command is run with the resource limits of
the login class
Note: in this example, the first
option applies to
while the second is an argument to the shell being invoked.
| su -l foo
Simulate a login for user foo.
| su - foo
Same as above.
| su -
Simulate a login for root.
command appeared in
AT&T v1 .
Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.