SU(8) Maintenance Procedures SU(8)


su - become superuser or another user


su [-] [username [arg...]]


The su command allows one to become another user without logging off or
to assume a role. The default user name is root (superuser).

To use su, the appropriate password must be supplied (unless the invoker
is already root). If the password is correct, su creates a new shell
process that has the real and effective user ID, group IDs, and
supplementary group list set to those of the specified username.
Additionally, the new shell's project ID is set to the default project ID
of the specified user. See getdefaultproj(3PROJECT),
setproject(3PROJECT). The new shell will be the shell specified in the
shell field of username's password file entry (see passwd(5)). If no
shell is specified, /usr/bin/sh is used (see sh(1)). If superuser
privilege is requested and the shell for the superuser cannot be invoked
using exec(2), /sbin/sh is used as a fallback. To return to normal user
ID privileges, type an EOF character (CTRL-D) to exit the new shell.

Any additional arguments given on the command line are passed to the new
shell. When using programs such as sh, an arg of the form -c string
executes string using the shell and an arg of -r gives the user a
restricted shell.

To create a login environment, the command "su -" does the following:

o In addition to what is already propagated, the LC* and LANG
environment variables from the specified user's environment
are also propagated.

o Propagate TZ from the user's environment. If TZ is not found
in the user's environment, su uses the TZ value from the
TIMEZONE parameter found in /etc/default/login.

o Set MAIL to /var/mail/new_user.

If the first argument to su is a dash (-), the environment will be
changed to what would be expected if the user actually logged in as the
specified user. Otherwise, the environment is passed along, with the
exception of $PATH, which is controlled by PATH and SUPATH in

All attempts to become another user using su are logged in the log file
/var/adm/sulog (see sulog(5)).


su uses pam(3PAM) with the service name su for authentication, account
management, and credential establishment.


Example 1: Becoming User bin While Retaining Your Previously Exported


To become user bin while retaining your previously exported environment,

example% su bin

Example 2: Becoming User bin and Changing to bin's Login Environment

To become user bin but change the environment to what would be expected
if bin had originally logged in, execute:

example% su - bin

Example 3: Executing command with user bin's Environment and Permissions

To execute command with the temporary environment and permissions of user
bin, type:

example% su - bin -c "command args"


Variables with LD_ prefix are removed for security reasons. Thus, su bin
will not retain previously exported variables with LD_ prefix while
becoming user bin.

If any of the LC_* variables ( LC_CTYPE, LC_MESSAGES, LC_TIME,
LC_COLLATE, LC_NUMERIC, and LC_MONETARY) (see environ(7)) are not set in
the environment, the operational behavior of su for each corresponding
locale category is determined by the value of the LANG environment
variable. If LC_ALL is set, its contents are used to override both the
LANG and the other LC_* variables. If none of the above variables are set
in the environment, the "C" (U.S. style) locale determines how su

Determines how su handles characters. When LC_CTYPE is set
to a valid value, su can display and handle text and
filenames containing valid characters for that locale. su
can display and handle Extended Unix Code (EUC) characters
where any individual character can be 1, 2, or 3 bytes
wide. su can also handle EUC characters of 1, 2, or more
column widths. In the "C" locale, only characters from ISO
8859-1 are valid.

Determines how diagnostic and informative messages are
presented. This includes the language and style of the
messages, and the correct form of affirmative and negative
responses. In the "C" locale, the messages are presented
in the default form found in the program itself (in most
cases, U.S. English).


user's login commands for sh and ksh

system's password file

system-wide sh and ksh login commands

log file

the default parameters in this file are:

If defined, all attempts to su to
another user are logged in the indicated

If defined, all attempts to su to root
are logged on the console.

Default path. (/usr/bin:)

Default path for a user invoking su to
root. (/usr/sbin:/usr/bin)

Determines whether the syslog(3C)
LOG_AUTH facility should be used to log
all su attempts. LOG_NOTICE messages are
generated for su's to root, LOG_INFO
messages are generated for su's to other
users, and LOG_CRIT messages are
generated for failed su attempts.

the default parameters in this file are:

Sets the TZ environment variable of the


csh(1), env(1), ksh(1), login(1), roles(1), sh(1), exec(2), syslog(3C),
pam(3PAM), pam_acct_mgmt(3PAM), pam_authenticate(3PAM),
pam_setcred(3PAM), getdefaultproj(3PROJECT), setproject(3PROJECT),
pam.conf(5), passwd(5), profile(5), sulog(5), attributes(7), environ(7),

February 26, 2004 SU(8)