SU(1)                      OpenBSD Reference Manual                      SU(1)

NAME
     su - substitute user identity



SYNOPSIS
     su [-Kflm] [login [shell arguments]]

DESCRIPTION
     su requests the Kerberos password for login (or for ``login.root'', if no
     login is provided), and switches to that user and group ID after obtain-
     ing a Kerberos ticket granting access.  A shell is then executed, and any
     additional shell arguments after the login name are passed to the shell.
     su will resort to the local password file to find the password for login
     if there is a Kerberos error or if Kerberos is not installed.  If su is
     executed by root, no password is requested and a shell with the appropri-
     ate user ID is executed; no additional Kerberos tickets are obtained.

     Alternately, if the user enters the password "s/key", they will be au-
     thenticated using the S/Key one-time password system as described in
     skey(1).  S/Key is a Trademark of Bellcore.

     By default, the environment is unmodified with the exception of LOGNAME,
     USER, HOME, and SHELL. HOME and SHELL are set to the target login's de-
     fault values.  LOGNAME and USER are set to the target login, unless the
     target login has a user ID of 0, in which case it is unmodified.  The in-
     voked shell is the target login's.  This is the traditional behavior of
     su.

     The options are as follows:

     -K      Do not attempt to use Kerberos to authenticate the user.

     -f      If the invoked shell is csh(1),  this option prevents it from
             reading the ``.cshrc'' file.

     -l      Simulate a full login.  The environment is discarded except for
             HOME, SHELL, PATH, TERM, LOGNAME, and USER. HOME and SHELL are
             modified as above.  LOGNAME and USER are set to the target login.
             PATH is set to ``/usr/bin:/bin''. TERM is imported from your cur-
             rent environment.  The invoked shell is the target login's, and
             su will change directory to the target login's home directory.

     -m      Leave the environment unmodified.  The invoked shell is your lo-
             gin shell, and no directory changes are made.  As a security pre-
             caution, if the target user's shell is a non-standard shell (as
             defined by getusershell(3))  and the caller's real UID is non-ze-
             ro, su will fail.

     The -l and -m options are mutually exclusive; the last one specified
     overrides any previous ones.

     If the optional shell arguments are provided on the command line, they
     are passed to the login shell of the target login.  This allows it to
     pass arbitrary commands via the -c option as understood by most shells.
     Note that -c usually expects a single argument only; you have to quote it
     when passing multiple words.

     If group 0 (normally ``wheel'') has users listed then only those users
     can su to ``root''. It is not sufficient to change a user's /etc/passwd
     entry to add them to the ``wheel'' group; they must explicitly be listed
     in /etc/group. If no one is in the ``wheel'' group, it is ignored, and
     anyone who knows the root password is permitted to su to ``root''.

     By default (unless the prompt is reset by a startup file) the super-user
     prompt is set to ``#'' to remind one of its awesome power.

EXAMPLES
     su bin -c makewhatis
            Runs the command makewhatis as user bin. You will be asked for
            bin's password unless your real UID is 0.

     su bin -c 'makewhatis /usr/local/man'
            Same as above, but the target command consists of more than a sin-
            gle word.

     su -l foo
            Pretend a login for user foo.

SEE ALSO
     csh(1),  kerberos(1),  kinit(1),  login(1),  sh(1),  skey(1),  group(5),
     passwd(5),  environ(7)

ENVIRONMENT
     Environment variables used by su:

     HOME  Default home directory of real user ID unless modified as specified
           above.

     PATH  Default search path of real user ID unless modified as specified
           above.

     TERM  Provides terminal type which may be retained for the substituted
           user ID.

     LOGNAME
           The user ID is always the effective ID (the target user ID) after
           an su unless the user ID is 0 (root).

     USER  Same as LOGNAME.

HISTORY
     A su command appeared in Version 7 AT&T UNIX.  The version described here
     is an adaptation of the MIT Athena Kerberos command.

OpenBSD 2.6                      July 29, 1991                               2