The su command enables one to become another user without logging off. The default username is root. If the username is a role, the current user must have been assigned the role,
but role assumption is generally not useful with this command. Roles usually require trusted path and the
To use su, the appropriate password must be supplied unless su inherits the
proc_setid privilege. By default, authentication must be done through the trusted path, as is the case when running in a role workspace. If the su command is executed without the trusted path, an authorization check is made if the option su_auth_check_on is specified in pam.conf(4) for the su service module pam_tp_auth(5).
The authorization checked by this module,
solaris.login.su, should be assigned to the target username rather than the current user.
If authentication is successful, su creates a new shell process that has the real and effective user ID, group IDs, and supplementary group list set to those of the specified username.
Any additional arguments given on the command line are passed to the new shell. When using programs such as sh, an arg of the form -c string executes string using the shell and an arg of -r gives the user a restricted shell.
The following statements are true if the login shell is /usr/bin/sh or an empty string (which defaults to /usr/bin/sh) in the specific user's password file entry. If the first argument to su is a dash (-), the environment will be changed to what would be expected if the user actually logged in as the specified user. Otherwise, the environment is passed along, with the exception of $PATH, which is controlled by PATH and SUPATH in /etc/default/su. Additionally, the user's project ID is set if the dash argument is present. See settaskid(2).
All attempts to become another user using su are logged in the log file /var/adm/sulog (see sulog(4)).
su uses pam(3PAM) for authentication and account management. The PAM configuration policy, listed through /etc/pam.conf, specifies the modules to be used for su. Here is a partial pam.conf file with entries for the su command using the UNIX authenticationand account management.
su auth requisite /usr/lib/security/pam_unix.so.1 su_auth_check_on su auth sufficient /usr/lib/security/pam_tp_auth.so.1 su account requisite /usr/lib/security/pam_roles.so.1 su account required /usr/lib/security/pam_unix.so.1 su account required /usr/lib/security/pam_tsol.so.1
If there are no entries for the su service, then the entries for the "other" service will be used. If multiple authentication modules are listed, then the user may be prompted for multiple passwords.
example% su bin
example% su - bin
example% su - bin -c "command args"
Variables with LD_ prefix are removed for security reasons. Thus, su bin will not retain previously exported variables with LD_ prefix while becoming user bin.
If any of the LC_* variables ( LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and LC_MONETARY) (see environ(5)) are not set in the environment, the operational behavior of su for each corresponding locale category is determined by the value of the LANG environment variable. If LC_ALL is set, its contents are used to override both the LANG and the other LC_* variables. If none of the above variables are set in the environment, the "C" (U.S. style) locale determines how su behaves.
Determines how su handles characters. When LC_CTYPE is set to a valid value, su can display and handle text and filenames containing valid characters for that locale. su can display and handle Extended Unix Code (EUC) characters where any individual character can be 1, 2, or 3 bytes wide. su can also handle EUC characters of 1, 2, or more column widths. In the "C" locale, only characters from ISO 8859-1 are valid.
Determines how diagnostic and informative messages are presented. This includes the language and style of the messages, and the correct form of affirmative and negative responses. In the "C" locale, the messages are presented in the default form found in the program itself (in most cases, U.S. English).
user's login commands for sh and ksh
system's password file
system-wide sh and ksh login commands
If defined, all attempts to su to another user are logged in the indicated file.
If defined, all attempts to su to root are logged on the console.
Default path. (/usr/bin:)
Default path for a user invoking su to root. (/usr/sbin:/usr/bin)
Determines whether the syslog(3C) LOG_AUTH facility should be used to log all su attempts. LOG_NOTICE messages are generated for su's to root, LOG_INFO messages are generated for su's to other users, and LOG_CRIT messages are generated for failed su attempts.
If present, sets the number of seconds to wait before login failure is printed to the screen and another login attempt is allowed. Default is 4 seconds. Minimum is 0 seconds. Maximum is 5 seconds.
See attributes(5) for descriptions of the following attributes:
The specified username may need the the authorization
solaris.login.su if the trusted path policy is enabled. Users should use the Trusted Path menu to assume a role.