1 .TH SU 1 "July 2014" "util-linux" "User Commands"
3 su \- run a command with substitute user and group ID
5 .BR su " [options] [" \- ]
6 .RI [ user " [" argument ...]]
9 allows to run commands with a substitute user and group ID.
11 When called without arguments,
13 defaults to running an interactive shell as
16 For backward compatibility,
18 defaults to not change the current directory and to only set the
29 is not root). It is recommended to always use the
31 option (instead of its shortcut
33 to avoid side effects caused by mixing environments.
37 uses PAM for authentication, account and session management. Some
38 configuration options found in other
40 implementations, such as support for a wheel group, have to be
44 is mostly designed for unprivileged users, the recommended solution for
45 privileged users (e.g. scripts executed by root) is to use
46 non-set-user-ID command
48 that does not require authentication and provide separate PAM configuration. If
49 the PAM session is not required at all then the recommend solution is to use
55 .BR \-c , " \-\-command" = \fIcommand
65 to the shell, which may or may not be useful, depending on the shell.
67 .BR \-g , " \-\-group" = \fIgroup
68 Specify the primary group. This option is available to the root user only.
70 .BR \-G , " \-\-supp\-group" = \fIgroup
71 Specify a supplemental group. This option is available to the root user only. The first specified
72 supplementary group is also used as a primary group if the option \fB\-\-group\fR is unspecified.
74 .BR \- , " \-l" , " \-\-login"
75 Start the shell as a login shell with an environment similar to a real
80 clears all the environment variables except
82 and variables specified by \fB\-\-whitelist\-environment\fR
85 initializes the environment variables
93 changes to the target user's home directory
96 sets argv[0] of the shell to
98 in order to make the shell a login shell
101 .BR \-m , " \-p" , " \-\-preserve\-environment"
102 Preserve the entire environment, i.e. it does not set
108 This option is ignored if the option \fB\-\-login\fR is specified.
111 Create pseudo-terminal for the session. The independent terminal provides
112 better security as user does not share terminal with the original
113 session. This allow to avoid TIOCSTI ioctl terminal injection and another
114 security attacks against terminal file descriptors. The all session is also
115 possible to move to background (e.g. "su --pty - username -c
116 application &"). If the pseudo-terminal is enabled then su command works
117 as a proxy between the sessions (copy stdin and stdout).
119 This feature is mostly designed for interactive sessions. If the standard input
120 is not a terminal, but for example pipe (e.g. echo "date" | su --pty) than ECHO
121 flag for the pseudo-terminal is disabled to avoid messy output.
123 .BR \-s , " \-\-shell" = \fIshell
124 Run the specified \fIshell\fR instead of the default. The shell to run is
125 selected according to the following rules, in order:
129 the shell specified with
133 the shell specified in the environment variable
136 .B \-\-preserve\-environment
140 the shell listed in the passwd entry of the target user
146 If the target user has a restricted shell (i.e. not listed in
151 environment variables are ignored unless the calling user is root.
153 .BI \-\-session\-command= command
156 but do not create a new session. (Discouraged.)
158 .BR \-w , " \-\-whitelist\-environment" = \fIlist
159 Don't reset environment variables specified in comma separated \fIlist\fR when clears
160 environment for \fB\-\-login\fR. The whitelist is ignored for the environment variables
167 .BR \-V , " \-\-version"
168 Display version information and exit.
170 .BR \-h , " \-\-help"
171 Display help text and exit.
173 Upon receiving either
179 terminates its child and afterwards terminates itself with the received signal.
180 The child is terminated by SIGTERM, after unsuccessful attempt and 2 seconds of
181 delay the child is killed by SIGKILL.
188 configuration files. The following configuration items are relevant
195 Delay in seconds in case of an authentication failure. The number must be
196 a non-negative integer.
202 Defines the PATH environment variable for a regular user. The
204 .IR /usr/local/bin:\:/bin:\:/usr/bin .
213 Defines the PATH environment variable for root. ENV_SUPATH takes precedence. The default value is
214 .IR /usr/local/sbin:\:/usr/local/bin:\:/sbin:\:/bin:\:/usr/sbin:\:/usr/bin .
222 and \-\-login and \-\-preserve\-environment were not specified
228 The environment variable PATH may be different on systems where /bin and /sbin
229 are merged into /usr.
232 normally returns the exit status of the command it executed. If the
233 command was killed by a signal,
235 returns the number of the signal plus 128.
237 Exit status generated by
243 Generic error before executing the requested command
246 The requested command could not be executed
249 The requested command was not found
255 default PAM configuration file
258 PAM configuration file if \-\-login is specified
261 command specific logindef config file
264 global logindef config file
269 always logs failed log-in attempts to the btmp file, but it does not write to
270 the lastlog file at all. This solution allows to control
272 behavior by PAM configuration. If you want to use the pam_lastlog module to
273 print warning message about failed log-in attempts then the pam_lastlog has to
274 be configured to update the lastlog file as well. For example by:
278 session required pam_lastlog.so nowtmp
287 This \fBsu\fR command was
288 derived from coreutils' \fBsu\fR, which was based on an implementation by
289 David MacKenzie. The util-linux has been refactored by Karel Zak.
291 The su command is part of the util-linux package and is
293 .UR https://\:www.kernel.org\:/pub\:/linux\:/utils\:/util-linux/