1 .TH SU 1 "July 2014" "util-linux" "User Commands"
3 su \- run a command with substitute user and group ID
5 .BR su " [options] [" \- ]
6 .RI [ user " [" argument ...]]
9 allows to run commands with a substitute user and group ID.
15 defaults to running an interactive shell as
19 is specified, additional
21 can be supplied, in which case they are passed to the shell.
23 For backward compatibility,
25 defaults to not change the current directory and to only set the
36 is not root). It is recommended to always use the
38 option (instead of its shortcut
40 to avoid side effects caused by mixing environments.
44 uses PAM for authentication, account and session management. Some
45 configuration options found in other
47 implementations, such as support for a wheel group, have to be
51 is mostly designed for unprivileged users, the recommended solution for
52 privileged users (e.g., scripts executed by root) is to use
53 non-set-user-ID command
55 that does not require authentication and provide separate PAM configuration. If
56 the PAM session is not required at all then the recommend solution is to use
62 in all cases use PAM (pam_getenvlist()) to do final environment modification. The command line options
63 like \fB\-\-login\fR or \fB\-\-preserve\-environment\fR affect environment before it's modified by PAM.
67 .BR \-c , " \-\-command" = \fIcommand
77 to the shell, which may or may not be useful, depending on the shell.
79 .BR \-g , " \-\-group" = \fIgroup
80 Specify the primary group. This option is available to the root user only.
82 .BR \-G , " \-\-supp\-group" = \fIgroup
83 Specify a supplemental group. This option is available to the root user only. The first specified
84 supplementary group is also used as a primary group if the option \fB\-\-group\fR is unspecified.
86 .BR \- , " \-l" , " \-\-login"
87 Start the shell as a login shell with an environment similar to a real
92 clears all the environment variables except
94 and variables specified by \fB\-\-whitelist\-environment\fR
97 initializes the environment variables
105 changes to the target user's home directory
108 sets argv[0] of the shell to
110 in order to make the shell a login shell
113 .BR \-m , " \-p" , " \-\-preserve\-environment"
114 Preserve the entire environment, i.e., it does not set
120 This option is ignored if the option \fB\-\-login\fR is specified.
123 Create pseudo-terminal for the session. The independent terminal provides
124 better security as user does not share terminal with the original
125 session. This allow to avoid TIOCSTI ioctl terminal injection and another
126 security attacks against terminal file descriptors. The all session is also
127 possible to move to background (e.g., "su \-\-pty \- username \-c
128 application &"). If the pseudo-terminal is enabled then su command works
129 as a proxy between the sessions (copy stdin and stdout).
131 This feature is mostly designed for interactive sessions. If the standard input
132 is not a terminal, but for example pipe (e.g., echo "date" | su --pty) than ECHO
133 flag for the pseudo-terminal is disabled to avoid messy output.
135 .BR \-s , " \-\-shell" = \fIshell
136 Run the specified \fIshell\fR instead of the default. The shell to run is
137 selected according to the following rules, in order:
141 the shell specified with
145 the shell specified in the environment variable
148 .B \-\-preserve\-environment
152 the shell listed in the passwd entry of the target user
158 If the target user has a restricted shell (i.e., not listed in
163 environment variables are ignored unless the calling user is root.
165 .BI \-\-session\-command= command
168 but do not create a new session. (Discouraged.)
170 .BR \-w , " \-\-whitelist\-environment" = \fIlist
171 Don't reset environment variables specified in comma separated \fIlist\fR when clears
172 environment for \fB\-\-login\fR. The whitelist is ignored for the environment variables
179 .BR \-V , " \-\-version"
180 Display version information and exit.
182 .BR \-h , " \-\-help"
183 Display help text and exit.
185 Upon receiving either
191 terminates its child and afterwards terminates itself with the received signal.
192 The child is terminated by SIGTERM, after unsuccessful attempt and 2 seconds of
193 delay the child is killed by SIGKILL.
200 configuration files. The following configuration items are relevant
207 Delay in seconds in case of an authentication failure. The number must be
208 a non-negative integer.
214 Defines the PATH environment variable for a regular user. The
216 .IR /usr/local/bin:\:/bin:\:/usr/bin .
225 Defines the PATH environment variable for root. ENV_SUPATH takes precedence. The default value is
226 .IR /usr/local/sbin:\:/usr/local/bin:\:/sbin:\:/bin:\:/usr/sbin:\:/usr/bin .
234 and \-\-login and \-\-preserve\-environment were not specified
240 The environment variable PATH may be different on systems where /bin and /sbin
241 are merged into /usr, this variable is also affected by \fB\-\-login\fR command line option and
242 PAM system setting (e.g. pam_env).
245 normally returns the exit status of the command it executed. If the
246 command was killed by a signal,
248 returns the number of the signal plus 128.
250 Exit status generated by
256 Generic error before executing the requested command
259 The requested command could not be executed
262 The requested command was not found
268 default PAM configuration file
271 PAM configuration file if \-\-login is specified
274 command specific logindef config file
277 global logindef config file
282 always logs failed log-in attempts to the btmp file, but it does not write to
283 the lastlog file at all. This solution allows to control
285 behavior by PAM configuration. If you want to use the pam_lastlog module to
286 print warning message about failed log-in attempts then the pam_lastlog has to
287 be configured to update the lastlog file as well. For example by:
291 session required pam_lastlog.so nowtmp
300 This \fBsu\fR command was
301 derived from coreutils' \fBsu\fR, which was based on an implementation by
302 David MacKenzie. The util-linux has been refactored by Karel Zak.
304 The su command is part of the util-linux package and is
306 .UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/