1.\" Copyright (c) 1988, 1990, 1993, 1994 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 4. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)su.1 8.2 (Berkeley) 4/18/94 29.\" $FreeBSD$ 30.\" 31.Dd July 1, 2008 32.Dt SU 1 33.Os 34.Sh NAME 35.Nm su 36.Nd substitute user identity 37.Sh SYNOPSIS 38.Nm 39.Op Fl 40.Op Fl flms 41.Op Fl c Ar class 42.Op Ar login Op Ar args 43.Sh DESCRIPTION 44The 45.Nm 46utility requests appropriate user credentials via PAM 47and switches to that user ID 48(the default user is the superuser). 49A shell is then executed. 50.Pp 51PAM is used to set the policy 52.Xr su 1 53will use. 54In particular, by default only users in the 55.Dq Li wheel 56group can switch to UID 0 57.Pq Dq Li root . 58This group requirement may be changed by modifying the 59.Dq Li pam_group 60section of 61.Pa /etc/pam.d/su . 62See 63.Xr pam_group 8 64for details on how to modify this setting. 65.Pp 66By default, the environment is unmodified with the exception of 67.Ev USER , 68.Ev HOME , 69and 70.Ev SHELL . 71.Ev HOME 72and 73.Ev SHELL 74are set to the target login's default values. 75.Ev USER 76is set to the target login, unless the target login has a user ID of 0, 77in which case it is unmodified. 78The invoked shell is the one belonging to the target login. 79This is the traditional behavior of 80.Nm . 81Resource limits and session priority applicable to the original user's 82login class (see 83.Xr login.conf 5 ) 84are also normally retained unless the target login has a user ID of 0. 85.Pp 86The options are as follows: 87.Bl -tag -width Ds 88.It Fl f 89If the invoked shell is 90.Xr csh 1 , 91this option prevents it from reading the 92.Dq Pa .cshrc 93file. 94.It Fl l 95Simulate a full login. 96The environment is discarded except for 97.Ev HOME , 98.Ev SHELL , 99.Ev PATH , 100.Ev TERM , 101and 102.Ev USER . 103.Ev HOME 104and 105.Ev SHELL 106are modified as above. 107.Ev USER 108is set to the target login. 109.Ev PATH 110is set to 111.Dq Pa /bin:/usr/bin . 112.Ev TERM 113is imported from your current environment. 114Environment variables may be set or overridden from the login class 115capabilities database according to the class of the target login. 116The invoked shell is the target login's, and 117.Nm 118will change directory to the target login's home directory. 119Resource limits and session priority are modified to that for the 120target account's login class. 121.It Fl 122(no letter) The same as 123.Fl l . 124.It Fl m 125Leave the environment unmodified. 126The invoked shell is your login shell, and no directory changes are made. 127As a security precaution, if the target user's shell is a non-standard 128shell (as defined by 129.Xr getusershell 3 ) 130and the caller's real uid is 131non-zero, 132.Nm 133will fail. 134.It Fl s 135Set the MAC label to the user's default label as part of the user 136credential setup. 137Setting the MAC label may fail if the MAC label of the invoking process 138is not sufficient to transition to the user's default MAC label. 139If the label cannot be set, 140.Nm 141will fail. 142.It Fl c Ar class 143Use the settings of the specified login class. 144Only allowed for the super-user. 145.El 146.Pp 147The 148.Fl l 149(or 150.Fl ) 151and 152.Fl m 153options are mutually exclusive; the last one specified 154overrides any previous ones. 155.Pp 156If the optional 157.Ar args 158are provided on the command line, they are passed to the login shell of 159the target login. 160Note that all command line arguments before the target login name are 161processed by 162.Nm 163itself, everything after the target login name gets passed to the login 164shell. 165.Pp 166By default (unless the prompt is reset by a startup file) the super-user 167prompt is set to 168.Dq Sy \&# 169to remind one of its awesome power. 170.Sh ENVIRONMENT 171Environment variables used by 172.Nm : 173.Bl -tag -width HOME 174.It Ev HOME 175Default home directory of real user ID unless modified as 176specified above. 177.It Ev PATH 178Default search path of real user ID unless modified as specified above. 179.It Ev TERM 180Provides terminal type which may be retained for the substituted 181user ID. 182.It Ev USER 183The user ID is always the effective ID (the target user ID) after an 184.Nm 185unless the user ID is 0 (root). 186.El 187.Sh FILES 188.Bl -tag -width ".Pa /etc/pam.d/su" -compact 189.It Pa /etc/pam.d/su 190PAM configuration for 191.Nm . 192.El 193.Sh EXAMPLES 194.Bl -tag -width 5n -compact 195.It Li "su -m man -c catman" 196Runs the command 197.Li catman 198as user 199.Li man . 200You will be asked for man's password unless your real UID is 0. 201Note that the 202.Fl m 203option is required since user 204.Dq man 205does not have a valid shell by default. 206.It Li "su -m man -c 'catman /usr/share/man /usr/local/man'" 207Same as above, but the target command consists of more than a 208single word and hence is quoted for use with the 209.Fl c 210option being passed to the shell. 211(Most shells expect the argument to 212.Fl c 213to be a single word). 214.It Li "su -m -c staff man -c 'catman /usr/share/man /usr/local/man'" 215Same as above, but the target command is run with the resource limits of 216the login class 217.Dq staff . 218Note: in this example, the first 219.Fl c 220option applies to 221.Nm 222while the second is an argument to the shell being invoked. 223.It Li "su -l foo" 224Simulate a login for user foo. 225.It Li "su - foo" 226Same as above. 227.It Li "su -" 228Simulate a login for root. 229.El 230.Sh SEE ALSO 231.Xr csh 1 , 232.Xr sh 1 , 233.Xr group 5 , 234.Xr login.conf 5 , 235.Xr passwd 5 , 236.Xr environ 7 , 237.Xr pam_group 8 238.Sh HISTORY 239A 240.Nm 241command appeared in 242.At v1 . 243