xref: /freebsd/usr.bin/su/su.1 (revision aa24f48b361effe51163877d84f1b70d32b77e04)
1.\" Copyright (c) 1988, 1990, 1993, 1994
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.\"	@(#)su.1	8.2 (Berkeley) 4/18/94
29.\" $FreeBSD$
30.\"
31.Dd August 11, 2013
32.Dt SU 1
33.Os
34.Sh NAME
35.Nm su
36.Nd substitute user identity
37.Sh SYNOPSIS
38.Nm
39.Op Fl
40.Op Fl c Ar class
41.Op Fl flms
42.Op Ar login Op Ar args
43.Sh DESCRIPTION
44The
45.Nm
46utility requests appropriate user credentials via PAM
47and switches to that user ID
48(the default user is the superuser).
49A shell is then executed.
50.Pp
51PAM is used to set the policy
52.Xr su 1
53will use.
54In particular, by default only users in the
55.Dq Li wheel
56group can switch to UID 0
57.Pq Dq Li root .
58This group requirement may be changed by modifying the
59.Dq Li pam_group
60section of
61.Pa /etc/pam.d/su .
62See
63.Xr pam_group 8
64for details on how to modify this setting.
65.Pp
66By default, the environment is unmodified with the exception of
67.Ev USER ,
68.Ev HOME ,
69and
70.Ev SHELL .
71.Ev HOME
72and
73.Ev SHELL
74are set to the target login's default values.
75.Ev USER
76is set to the target login, unless the target login has a user ID of 0,
77in which case it is unmodified.
78The invoked shell is the one belonging to the target login.
79This is the traditional behavior of
80.Nm .
81Resource limits and session priority applicable to the original user's
82login class (see
83.Xr login.conf 5 )
84are also normally retained unless the target login has a user ID of 0.
85.Pp
86The options are as follows:
87.Bl -tag -width Ds
88.It Fl c Ar class
89Use the settings of the specified login class.
90The login class must be defined in
91.Xr login.conf 5 .
92Only allowed for the super-user.
93.It Fl f
94If the invoked shell is
95.Xr csh 1 ,
96this option prevents it from reading the
97.Dq Pa .cshrc
98file.
99.It Fl l
100Simulate a full login.
101The environment is discarded except for
102.Ev HOME ,
103.Ev SHELL ,
104.Ev PATH ,
105.Ev TERM ,
106and
107.Ev USER .
108.Ev HOME
109and
110.Ev SHELL
111are modified as above.
112.Ev USER
113is set to the target login.
114.Ev PATH
115is set to
116.Dq Pa /bin:/usr/bin .
117.Ev TERM
118is imported from your current environment.
119Environment variables may be set or overridden from the login class
120capabilities database according to the class of the target login.
121The invoked shell is the target login's, and
122.Nm
123will change directory to the target login's home directory.
124Resource limits and session priority are modified to that for the
125target account's login class.
126.It Fl
127(no letter) The same as
128.Fl l .
129.It Fl m
130Leave the environment unmodified.
131The invoked shell is your login shell, and no directory changes are made.
132As a security precaution, if the target user's shell is a non-standard
133shell (as defined by
134.Xr getusershell 3 )
135and the caller's real uid is
136non-zero,
137.Nm
138will fail.
139.It Fl s
140Set the MAC label to the user's default label as part of the user
141credential setup.
142Setting the MAC label may fail if the MAC label of the invoking process
143is not sufficient to transition to the user's default MAC label.
144If the label cannot be set,
145.Nm
146will fail.
147.El
148.Pp
149The
150.Fl l
151(or
152.Fl )
153and
154.Fl m
155options are mutually exclusive; the last one specified
156overrides any previous ones.
157.Pp
158If the optional
159.Ar args
160are provided on the command line, they are passed to the login shell of
161the target login.
162Note that all command line arguments before the target login name are
163processed by
164.Nm
165itself, everything after the target login name gets passed to the login
166shell.
167.Pp
168By default (unless the prompt is reset by a startup file) the super-user
169prompt is set to
170.Dq Sy \&#
171to remind one of its awesome power.
172.Sh ENVIRONMENT
173Environment variables used by
174.Nm :
175.Bl -tag -width HOME
176.It Ev HOME
177Default home directory of real user ID unless modified as
178specified above.
179.It Ev PATH
180Default search path of real user ID unless modified as specified above.
181.It Ev TERM
182Provides terminal type which may be retained for the substituted
183user ID.
184.It Ev USER
185The user ID is always the effective ID (the target user ID) after an
186.Nm
187unless the user ID is 0 (root).
188.El
189.Sh FILES
190.Bl -tag -width ".Pa /etc/pam.d/su" -compact
191.It Pa /etc/pam.d/su
192PAM configuration for
193.Nm .
194.El
195.Sh EXAMPLES
196.Bl -tag -width 5n -compact
197.It Li "su -m man -c catman"
198Starts a shell as user
199.Li man ,
200and runs the command
201.Li catman .
202You will be asked for man's password unless your real UID is 0.
203Note that the
204.Fl m
205option is required since user
206.Dq man
207does not have a valid shell by default.
208In this example,
209.Fl c
210is passed to the shell of the user
211.Dq man ,
212and is not interpreted as an argument to
213.Nm .
214.It Li "su -m man -c 'catman /usr/share/man /usr/local/man'"
215Same as above, but the target command consists of more than a
216single word and hence is quoted for use with the
217.Fl c
218option being passed to the shell.
219(Most shells expect the argument to
220.Fl c
221to be a single word).
222.It Li "su -m -c staff man -c 'catman /usr/share/man /usr/local/man'"
223Same as above, but the target command is run with the resource limits of
224the login class
225.Dq staff .
226Note: in this example, the first
227.Fl c
228option applies to
229.Nm
230while the second is an argument to the shell being invoked.
231.It Li "su -l foo"
232Simulate a login for user foo.
233.It Li "su - foo"
234Same as above.
235.It Li "su -"
236Simulate a login for root.
237.El
238.Sh SEE ALSO
239.Xr csh 1 ,
240.Xr sh 1 ,
241.Xr group 5 ,
242.Xr login.conf 5 ,
243.Xr passwd 5 ,
244.Xr environ 7 ,
245.Xr pam_group 8
246.Sh HISTORY
247A
248.Nm
249command appeared in
250.At v1 .
251