su Command
Purpose
Changes the user ID associated with a session.
Syntax
su [ - ] [ Name [ Argument ... ] ]
Description
The su command
changes user credentials to those of the root user or to the user
specified by the Name parameter, and initiates a new session.
The user name might include a Distributed Computing Environment (DCE)
cell specification.
Note: The
root user is not required to satisfy the DCE authentication when switching
to a DCE user. In this case, the user's DCE credentials are not required.
Any arguments, such as flags or parameters, that
are specified by the Arguments parameter must relate to the
login shell defined for the user specified by the Name parameter.
These arguments are passed to the specified user's login shell. For
example, if the login shell for user Fred is /usr/bin/csh,
you can include any of the flags for the csh command, such
as the -f flag. When the su command runs, it passes
the -f flag to the csh command. When the csh command
runs, the -f flag omits the .cshrc startup script.
Note: If the domainlessgroups attribute is set in
the /etc/secvars.cfg file and if the user belongs to the Lightweight
Directory Access Protocol (LDAP) domain or files domain, all the group
IDs are fetched from the LDAP domain and the files domain.
The following functions are performed by the su command:
| Item | Description |
|---|---|
| account checking | Validates the user account to be certain it exists, that it is enabled for the su command, that the current user is in a group permitted to switch to this account with the su command, and that it can be used from the current controlling terminal. |
| user authentication | Validates the user's identity, using the system-defined primary authentication methods for the user. If a password has expired, the user must supply a new password. |
| credentials establishment | Establishes initial user credentials, using the values in the user database. These credentials define the user's access rights and accountability on the system. |
| session initiation | If the - flag is specified, the su command initializes the user environment from the values in the user database and the /etc/environment file. When the - flag is not used, the su command does not change the directory. |
These functions are performed in the sequence shown. If one function is unsuccessful, the succeeding functions are not done. Refer to the ckuseracct, ckuserID, authenticate, setpcred, and setpenv subroutines for the semantics of these functions.
To restore the previous session, type exit or press the Ctrl-D key sequence. This action ends the shell called by the su command and returns you to the previous shell, user ID, and environment.
If the su command is run from the /usr/bin/tsh shell, the trusted shell, you exit from that shell. The su command does not change the security characteristics of the controlling terminal.
Each time the su command is executed, an entry is made in the /var/adm/sulog file. The /var/adm/sulog file records the following information: date, time, system name, and login name. The /var/adm/sulog file also records whether or not the login attempt was successful: a + (plus sign) indicates a successful login, and a - (minus sign) indicates an unsuccessful login.
Note: Successful use of the su command
resets the unsuccessful_login_count attribute in the /etc/security/lastlog file
only if the user's rlogin and login attributes are both
set to false in /etc/security/user. Otherwise, the su command
doesn't reset the unsuccessful_login_count, because the administrator
often uses the su command to fix user account problems. The
user is able to reset the attribute through a local or remote login.
Flags
| Item | Description |
|---|---|
| - | Specifies that the process environment is to be set as if the user had logged in to the
system using the login command. Nothing in the current environment is propagated to the new
shell. Note: This behavior is intended for
compatibility with alternate UNIX shell environments where flag options are allowed ahead of the
Name parameter.
|
Security
The su command is a PAM-enabled
application with a service name of su. System-wide
configuration to use PAM for authentication is set by modifying the
value of the auth_type attribute, in the usw stanza
of /etc/security/login.cfg, to PAM_AUTH as
the root user.
The authentication mechanisms used when PAM
is enabled depend on the configuration for the
su service
in /etc/pam.conf. The su command requires /etc/pam.conf entries
for the auth, account, password,
and session module types. In order for the su command
to exhibit a similar behavior through PAM authentication as seen in
standard AIX®authentication,
the pam_allowroot module must be used as sufficient
and called before pam_aix in both the auth and account su
service stacks. Listed below is a recommended configuration in /etc/pam.conf for
the su service: #
# AIX su configuration
#
su auth sufficient /usr/lib/security/pam_allowroot
su auth required /usr/lib/security/pam_aix
su account sufficient /usr/lib/security/pam_allowroot
su account required /usr/lib/security/pam_aix
su session required /usr/lib/security/pam_aix
su password required /usr/lib/security/pam_aixAttention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged
operations. For more information about authorizations and privileges, see Privileged Command
Database in Security. For a list of privileges and the
authorizations associated with this command, see the lssecattr command or the
getcmdattr subcommand.
To get
the full functionality of the command, besides the accessauths,
the role should also have the aix.security.su authorization.On
a Trusted AIX system, when
the su command is invoked with the - flag, the following
conditions must be met for both sensitivity and integrity labels:
- The current user's maximum clearance must dominate the new user's maximum clearance.
- The new user's minimum clearance must dominate the current user's minimum clearance.
- The current user's effective clearance must be dominated by the new user's maximum clearance and must dominate the new user's minimum clearance.
Examples
- To obtain root user authority, enter one of the following
commands:
This command runs a subshell with the effective user ID and privileges of the root user. You will be asked for the root password. Press End-of-File, Ctrl+D key sequence, to end the subshell and return to your original shell session and privileges.su
This command runs a subshell with the effective user ID and privileges of the root user. Enter the root password, when prompted. Press End-of-File, Ctrl+D key sequence, to end the subshell and return to your original shell session and privileges.su -- - To obtain the privileges of the jim user, enter
the following command:
This command runs a subshell with the effective user ID and privileges of jim.su jim - To set up the environment
as if you had logged in as the jim user, enter: su - jimThis starts a subshell using jim's login environment.
- To run the backup command with root user authority and then
return to your original shell, enter:
This command runs the backup command with root user authority within root's default shell. You must give the correct root password when queried for the command to execute.su root "-c /usr/sbin/backup -9 -u" - Enter one of the following commands to change the user credentials of the current
session to root user:
su -su - rootsu - --The preceding commands start a subshell by using the root user's login environment.
Files
| Item | Description |
|---|---|
| /usr/bin/su | Contains the su command. |
| /etc/environment | Contains user environment values. |
| /etc/group | Contains the basic group attributes. |
| /etc/passwd | Contains the basic user attributes. |
| /etc/security/user | Contains the extended attributes of users. |
| /etc/security/environ | Contains the environment attributes of users. |
| /etc/security/limits | Contains the process resource limits of users. |
| /etc/security/passwd | Contains password information. |
| /var/adm/sulog | Contains information about login attempts. |
| /etc/security/enc/LabelEncodings | Contains label definitions for the Trusted AIX system. |