Annotation of src/usr.bin/su/su.1, Revision 1.12
1.12 ! millert 1: .\" $OpenBSD: su.1,v 1.11 2001/05/01 17:58:04 aaron Exp $
1.9 aaron 2: .\"
1.1 deraadt 3: .\" Copyright (c) 1988, 1990 The Regents of the University of California.
4: .\" All rights reserved.
5: .\"
6: .\" Redistribution and use in source and binary forms, with or without
7: .\" modification, are permitted provided that the following conditions
8: .\" are met:
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
14: .\" 3. All advertising materials mentioning features or use of this software
15: .\" must display the following acknowledgement:
16: .\" This product includes software developed by the University of
17: .\" California, Berkeley and its contributors.
18: .\" 4. Neither the name of the University nor the names of its contributors
19: .\" may be used to endorse or promote products derived from this software
20: .\" without specific prior written permission.
21: .\"
22: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32: .\" SUCH DAMAGE.
33: .\"
34: .\" from: @(#)su.1 6.12 (Berkeley) 7/29/91
35: .\"
36: .Dd July 29, 1991
37: .Dt SU 1
38: .Os
39: .Sh NAME
40: .Nm su
41: .Nd substitute user identity
42: .Sh SYNOPSIS
43: .Nm su
1.12 ! millert 44: .Op Fl fKlm
! 45: .Op Fl a Ar auth-type
1.10 millert 46: .Op Fl c Ar login-class
1.1 deraadt 47: .Op Ar login Op Ar "shell arguments"
48: .Sh DESCRIPTION
1.8 aaron 49: .Nm
1.1 deraadt 50: requests the Kerberos password for
51: .Ar login
52: (or for
53: .Dq Ar login Ns .root ,
54: if no login is provided), and switches to
1.7 aaron 55: that user and group ID after obtaining a Kerberos ticket granting access.
1.1 deraadt 56: A shell is then executed, and any additional
57: .Ar "shell arguments"
58: after the login name
59: are passed to the shell.
1.8 aaron 60: .Nm
1.1 deraadt 61: will resort to the local password file to find the password for
62: .Ar login
1.4 millert 63: if there is a Kerberos error or if Kerberos is not installed.
1.1 deraadt 64: If
1.8 aaron 65: .Nm
1.1 deraadt 66: is executed by root, no password is requested and a shell
67: with the appropriate user ID is executed; no additional Kerberos tickets
68: are obtained.
69: .Pp
70: By default, the environment is unmodified with the exception of
1.5 millert 71: .Ev LOGNAME ,
1.1 deraadt 72: .Ev HOME ,
1.12 ! millert 73: .Ev SHELL ,
1.1 deraadt 74: and
1.12 ! millert 75: .Ev USER .
1.1 deraadt 76: .Ev HOME
77: and
78: .Ev SHELL
79: are set to the target login's default values.
1.5 millert 80: .Ev LOGNAME
81: and
1.1 deraadt 82: .Ev USER
1.12 ! millert 83: are set to the target login, unless the target login has a user ID of 0
! 84: and the
! 85: .Fl l
! 86: flag was not specified,
1.1 deraadt 87: in which case it is unmodified.
88: The invoked shell is the target login's.
89: This is the traditional behavior of
90: .Nm su .
91: .Pp
1.12 ! millert 92: If not using
! 93: .Fl m
! 94: and the target login has a user ID of 0 then the
! 95: .Ev PATH
! 96: variable and umask value
! 97: (see
! 98: .Xr umask 2 )
! 99: are always set according to the
! 100: .Pa /etc/login.conf
! 101: file (see
! 102: .Xr login.conf 5 ) .
! 103: .Pp
1.1 deraadt 104: The options are as follows:
105: .Bl -tag -width Ds
1.12 ! millert 106: .It Fl a
! 107: Specify an authentication type such as
! 108: .Dq skey ,
! 109: .Dq securid ,
! 110: or
! 111: .Dq kerberos .
1.10 millert 112: .It Fl c
113: Specify a login class.
114: You may only override the default class if you're already root.
1.1 deraadt 115: .It Fl f
116: If the invoked shell is
117: .Xr csh 1 ,
118: this option prevents it from reading the
119: .Dq Pa .cshrc
120: file.
1.12 ! millert 121: .It Fl K
! 122: Do not attempt to use Kerberos to authenticate the user.
1.1 deraadt 123: .It Fl l
124: Simulate a full login.
125: The environment is discarded except for
126: .Ev HOME ,
127: .Ev SHELL ,
128: .Ev PATH ,
129: .Ev TERM ,
1.5 millert 130: .Ev LOGNAME ,
1.1 deraadt 131: and
132: .Ev USER .
133: .Ev HOME
134: and
135: .Ev SHELL
136: are modified as above.
1.5 millert 137: .Ev LOGNAME
138: and
1.1 deraadt 139: .Ev USER
1.5 millert 140: are set to the target login.
1.1 deraadt 141: .Ev PATH
1.12 ! millert 142: is set to the value specified by the
! 143: .Dq path
! 144: entry in
! 145: .Xr login.conf 5 .
1.1 deraadt 146: .Ev TERM
147: is imported from your current environment.
148: The invoked shell is the target login's, and
1.8 aaron 149: .Nm
1.1 deraadt 150: will change directory to the target login's home directory.
151: .It Fl m
152: Leave the environment unmodified.
153: The invoked shell is your login shell, and no directory changes are made.
154: As a security precaution, if the target user's shell is a non-standard
155: shell (as defined by
156: .Xr getusershell 3 )
1.7 aaron 157: and the caller's real UID is
1.1 deraadt 158: non-zero,
1.8 aaron 159: .Nm
1.1 deraadt 160: will fail.
161: .El
162: .Pp
163: The
164: .Fl l
165: and
166: .Fl m
167: options are mutually exclusive; the last one specified
168: overrides any previous ones.
1.8 aaron 169: .Pp
170: If the optional
1.4 millert 171: .Ar "shell arguments"
1.8 aaron 172: are provided on the command line, they are passed to the login shell of
1.9 aaron 173: the target login.
174: This allows it to pass arbitrary commands via the
1.8 aaron 175: .Fl c
1.9 aaron 176: option as understood by most shells.
177: Note that
1.8 aaron 178: .Fl c
1.4 millert 179: usually expects a single argument only; you have to quote it when
1.8 aaron 180: passing multiple words.
1.1 deraadt 181: .Pp
1.2 deraadt 182: If group 0 (normally
1.1 deraadt 183: .Dq wheel )
1.2 deraadt 184: has users listed then only those users can
1.8 aaron 185: .Nm
1.2 deraadt 186: to
187: .Dq root .
1.6 provos 188: It is not sufficient to change a user's
189: .Pa /etc/passwd
190: entry to add them to the
191: .Dq wheel
192: group; they must explicitly be listed in
193: .Pa /etc/group .
194: If no one is in the
195: .Dq wheel
196: group, it is ignored, and anyone who knows the root password is permitted to
1.8 aaron 197: .Nm
1.1 deraadt 198: to
199: .Dq root .
200: .Pp
1.9 aaron 201: By default (unless the prompt is reset by a startup file) the superuser
1.1 deraadt 202: prompt is set to
203: .Dq Sy \&#
204: to remind one of its awesome power.
1.8 aaron 205: .Sh EXAMPLES
206: .Bl -tag -width 5n -compact
207: .It Li "su bin -c makewhatis"
208: Runs the command
209: .Li makewhatis
210: as user
211: .Li bin .
212: You will be asked for bin's password unless your real UID is 0.
1.4 millert 213: .Pp
214: .It Li "su bin -c 'makewhatis /usr/local/man'"
1.8 aaron 215: Same as above, but the target command consists of more than a
216: single word.
1.4 millert 217: .Pp
1.8 aaron 218: .It Li "su -l foo"
219: Pretend a login for user
220: .Li foo .
221: .El
1.1 deraadt 222: .Sh ENVIRONMENT
1.9 aaron 223: .Bl -tag -width LOGNAME
1.1 deraadt 224: .It Ev HOME
225: Default home directory of real user ID unless modified as
226: specified above.
1.12 ! millert 227: .It Ev LOGNAME
! 228: The user ID is always the effective ID (the target user ID) after an
! 229: .Nm
! 230: unless the user ID is 0 (root).
1.1 deraadt 231: .It Ev PATH
232: Default search path of real user ID unless modified as specified above.
233: .It Ev TERM
234: Provides terminal type which may be retained for the substituted
235: user ID.
1.5 millert 236: .It Ev USER
237: Same as
238: .Ev LOGNAME .
1.1 deraadt 239: .El
1.9 aaron 240: .Sh SEE ALSO
241: .Xr csh 1 ,
242: .Xr kerberos 1 ,
243: .Xr kinit 1 ,
244: .Xr login 1 ,
245: .Xr sh 1 ,
246: .Xr skey 1 ,
1.10 millert 247: .Xr setusercontext 3 ,
1.9 aaron 248: .Xr group 5 ,
1.10 millert 249: .Xr login.conf 5 ,
1.9 aaron 250: .Xr passwd 5 ,
251: .Xr environ 7
1.1 deraadt 252: .Sh HISTORY
253: A
254: .Nm
255: command appeared in
256: .At v7 .
1.12 ! millert 257: .Sh BUGS
! 258: There is no direct way to force a particular shell to be used.
! 259: .Pp
! 260: The login name is not optional for root if there are shell arguments.
![[BACK]](/icons/back.gif){kind=icon}
Return to su.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / su