Linux su command
On Unix-like operating systems, the su command changes the current user ID to that of the superuser, or another specified user.
This page covers the GNU/Linux version of su.
Description
The su command, which is short for substitute user or switch user, enables the current user to act as another user during the current login session.
Syntax
su [options] [username]
If no username is specified, su defaults to becoming the superuser (root).
Additional arguments may be provided after the username, in which case they are supplied to the user's login shell. In particular, an argument of -c causes the next argument to be treated as a command by most command interpreters. The command will be executed by the shell specified in /etc/passwd for the target user.
The optional argument "-" (a dash) can provide an environment similar to what the user would expect had the user logged in directly.
You can use the "--" argument to separate su options from the arguments supplied to the shell.
The user will be prompted for a password, if appropriate. Invalid passwords produce an error message. All attempts, both valid and invalid, are logged to detect abuse of the system.
The current environment is passed to the new shell. The value of $PATH is reset to "/bin:/usr/bin" for normal users, or "/sbin:/bin:/usr/sbin:/usr/bin" for the superuser. This may be changed with the ENV_PATH and ENV_SUPATH definitions in /etc/login.defs.
A subsystem login is indicated by the presence of a "*" as the first character of the login shell. The given home directory will be used as the root of a new file system which the user is actually logged into.
Options
-c, --command COMMAND | Specify a command that will be invoked by the shell using its -c. The executed command have no controlling terminal. This option cannot be used to execute interactive programs which need a controlling TTY. |
||||
-, -l, --login | Provide an environment similar to what the user would expect had the user logged in directly. When - is used, it must be specified as the last su option. The other forms (-l and --login) do not have this restriction. |
||||
-s, --shell SHELL | The shell that will be invoked. The invoked shell is chosen from (highest priority first):
|
||||
-m, -p, --preserve-environment |
Preserve the current environment, except for the following variables:
If the target user has a restricted shell, this option has no effect (unless su is called by root). Note that the default behavior for the environment is the following:
|
Configuration
The following configuration variables, located in the file /etc/login.defs, change the behavior of su:
Variable | Type | Description |
CONSOLE_GROUPS | string | List of groups to add to the user's supplementary groups set when logging in on the console (as determined by the CONSOLE setting). Default is "none". Use this with caution; it is possible for users to gain permanent access to these groups, even when not logged in on the console. |
DEFAULT_HOME | boolean | Indicate if login is allowed if even the requesting user can't change to the requested home directory. The default is no. If set to yes, the user will login in the root (/) directory if it's not possible to cd to their home directory. |
ENV_PATH | string | If set, it will be used to define the PATH environment variable when a regular user logs in. The value is a colon-separated list of paths (for example "/bin:/usr/bin") and can be preceded by PATH=. The default value is "PATH=/bin:/usr/bin". |
ENV_SUPATH | string | If set, it will be used to define the PATH environment variable when the superuser logs in. The value is a colon-separated list of paths (for example "/sbin:/bin:/usr/sbin:/usr/bin") and can be preceded by PATH=. The default value is "PATH=/sbin:/bin:/usr/sbin:/usr/bin". |
SULOG_FILE | string | If defined, all su activity is logged to this file, known as the sulog. |
SU_NAME | string | If defined, the command name to display when running "su -". For example, if this is defined as "su" then a ps displays the command as "-su". If not defined, then ps would display the name of the shell actually being run, e.g., something like "-sh". |
SYSLOG_SU_ENAB | boolean | Enable "syslog" logging of su activity - in addition to sulog file logging. |
Exit values
On success, su returns the exit value of the command it executed.
If this command was terminated by a signal, su returns the number of this signal plus 128.
If su has to kill the command (because it was asked to terminate, and the command did not terminate in time), su returns 255.
Some exit values from su are independent from the executed command:
0 | Success (--help only). |
1 | System or authentication failure. |
126 | The requested command was not found. |
127 | The requested command could not be executed. |
Examples
su - hope
Switch the current user ID to that of user hope, and set the environment to hope's login environment.
Related commands
csh — The C shell command interpreter.
env — Report the value of environment variables.
ksh — The Korn shell command interpreter.
login — Begin a session on a system.
sh — The Bourne shell command interpreter.
sudo — Execute a command as the superuser.