su(1M)                                                                  su(1M)


NAME
     su - become superuser or another user

SYNOPSIS
     su [ - ] [ name ] [ -M label ] [ -C capability set ] [ arg ... ]

DESCRIPTION
     su allows you to become another user without logging off.  The default
     user name is root (that is, superuser).

     To use su, you must supply the appropriate password (except as described
     below).  If the password is correct, su executes a new shell with the
     real and effective user ID set to that of the specified user.  The new
     shell is the program optionally named in the shell field of the specified
     user's password file entry (see passwd(4)), or /bin/sh if none is
     specified (see sh(1)).  To restore normal user ID privileges, type an EOF
     (<(Ctrl-d>) to the new shell.

     su prompts for a password if the specified user's account has one.
     However, su does not prompt you if your user name is root or your name is
     listed in the specified user's .rhosts file as:

          localhost your_name

     (The hostname of localhost is shorthand for the machine's name.)

OPTIONS
     -C <capability set>
          Execute the requested command with the specified capability set .
          The requested user must be cleared to operate with the requested
          capability set. If capabilities are not configured on your system,
          this option is silently ignored.

     -M <MAC label>
          Execute the requested command at the specified label . The invoker
          of su must be cleared to operate at the requested label. If that
          label is different than the user's current label then stdin, stdout,
          and stderr will be closed and the shell will be terminated. To
          prevent shells from terminating, a new window shell must be created
          at the new label. This is achieved by using the -c option (see
          examples). If MAC is not configured on your system (see sysconf(1)),
          this option is silently ignored.

     Any additional arguments given on the command line are passed to the
     program invoked as the shell.  When using programs like sh(1), an arg of
     the form -c string executes string via the shell and an arg of -r gives
     the user a restricted shell.

     su reads /etc/default/su to determine default behavior.  To change the
     defaults, the system administrator should edit this file.  Recognized
     values are:


          SULOG=file     # Use file as the su log file.
          CONSOLE=device # Log successful attempts to su root to device.
          SUPATH=path    # Use path as the PATH for root.
          PATH=path      # Use path as the PATH for normal users.
          SYSLOG=FAIL    # Log to syslog all failures (SYSLOG=FAIL)
                         # or all successes and failures (SYSLOG=ALL).

     The following statements are true only if the optional program named in
     the shell field of the specified user's password file entry is like
     sh(1).  If the first argument to su is a -, the environment is changed to
     what would be expected if the user actually logged in as the specified
     user.  This is done by invoking the program used as the shell with an
     arg0 value whose first character is -, thus causing the system's profile
     (/etc/profile) and then the specified user's profile (.profile in the new
     HOME directory) to be executed.

     Otherwise, the environment is passed along with the possible exception of
     $PATH, which is set to

          /usr/sbin:/usr/bsd:/sbin:/usr/bin:/bin:/etc:/usr/etc:/usr/bin/X11

     for root.  Additionally, environment variables of the form of those that
     are special to rld(1) are not passed to the user's program; that is,
     variable names beginning with either _RLD or LD_LIBRARY.  Note that if
     the optional program used as the shell is /bin/sh, the user's .profile
     can check arg0 for -sh or -su to determine if it was invoked by login(1)
     or su, respectively.  If the user's program is other than /bin/sh, then
     .profile is invoked with an arg0 of -program by both login and su.

     All attempts to become another user using su are logged in the log file
     /var/adm/sulog by default.

EXAMPLES
     To become user bin while retaining your previously exported environment,
     execute:

          su bin

     To become user bin but change the environment to what would be expected
     if bin had originally logged in, execute:

          su - bin

     To execute command with the temporary environment and permissions of user
     bin, type:

          su - bin -c "command args"

     Under Trusted Irix, to create a new window shell for user bin at a MAC
     label of dblow, execute:


          su bin -M dblow -c xwsh &


FILES
     /etc/passwd     system's password file
     /etc/profile    system's initialization script for /bin/sh users
     /etc/cshrc      system's initialization script for /bin/csh users
     $HOME/.profile  /bin/sh user's initialization script
     $HOME/.cshrc    /bin/csh user's initialization script
     $HOME/.rhosts   user's list of trusted users
     /var/adm/sulog  log file
     /etc/default/su defaults file
     /etc/config/pam to determine whether PAM is enabled

SEE ALSO
     capability(4), env(1), login(1), rld(1), sh(1), cshrc(4), passwd(4),
     profile(4), rhosts(4), environ(5), pam(8).

DIAGNOSTICS
     su: uid N: cannot attach to lnode - reason.
          The lnode attachment failed, so the shell was not executed.


                                                                        Page 3