Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SU(1)			    General Commands Manual			 SU(1)

NAME
       su -- substitute	user identity

SYNOPSIS
       su [-] [-c class] [-flms] [login	[args]]

DESCRIPTION
       The  su	utility	 requests  appropriate	user  credentials  via PAM and
       switches	to that	user ID	(the default user is the superuser).  A	 shell
       is then executed.

       PAM  is	used to	set the	policy su will use.  In	particular, by default
       only users in the "wheel" group can switch to  UID  0  ("root").	  This
       group  requirement  may be changed by modifying the "pam_group" section
       of /etc/pam.d/su.  See pam_group(8) for details on how to  modify  this
       setting.

       By  default,  the environment is	unmodified with	the exception of USER,
       HOME, and SHELL.	 HOME and SHELL	are set	to the target login's  default
       values.	USER is	set to the target login, unless	the target login has a
       user ID of 0, in	which case it is unmodified.  The invoked shell	is the
       one belonging to	the target login.  This	is the traditional behavior of
       su.   Resource  limits  and session priority applicable to the original
       user's login class (see login.conf(5)) are also normally	 retained  un-
       less the	target login has a user	ID of 0.

       The options are as follows:

       -c class
	       Use the settings	of the specified login class.  The login class
	       must  be	defined	in login.conf(5).  Only	allowed	for the	super-
	       user.

       -f      If the invoked shell is csh(1), this option  prevents  it  from
	       reading the ".cshrc" file.

       -l      Simulate	a full login.  The environment is discarded except for
	       HOME, SHELL, PATH, TERM,	and USER.  HOME	and SHELL are modified
	       as  above.   USER  is  set to the target	login.	PATH is	set to
	       "/bin:/usr/bin".	 TERM is imported from your  current  environ-
	       ment.   Environment variables may be set	or overridden from the
	       login class capabilities	database according to the class	of the
	       target login.  The invoked shell	is the target login's, and  su
	       will  change  directory	to  the	target login's home directory.
	       Resource	limits and session priority are	modified to  that  for
	       the target account's login class.

       -       (no letter) The same as -l.

       -m      Leave  the  environment	unmodified.  The invoked shell is your
	       login shell, and	no directory changes are made.	As a  security
	       precaution,  if the target user's shell is a non-standard shell
	       (as defined by getusershell(3)) and the caller's	 real  uid  is
	       non-zero, su will fail.

       -s      Set  the	 MAC  label to the user's default label	as part	of the
	       user credential setup.  Setting the MAC label may fail  if  the
	       MAC  label of the invoking process is not sufficient to transi-
	       tion to the user's default MAC label.  If the label  cannot  be
	       set, su will fail.

       The -l (or -) and -m options are	mutually exclusive; the	last one spec-
       ified overrides any previous ones.

       If  the optional	args are provided on the command line, they are	passed
       to the login shell of the target	login.	Note that all command line ar-
       guments before the target login name are	processed by su	itself,	every-
       thing after the target login name gets passed to	the login shell.

       By default (unless the prompt is	reset by a startup  file)  the	super-
       user prompt is set to "#" to remind one of its awesome power.

ENVIRONMENT
       Environment variables used by su:

       HOME  Default  home directory of	real user ID unless modified as	speci-
	     fied above.

       PATH  Default search path of real user ID unless	modified as  specified
	     above.

       TERM  Provides  terminal	type which may be retained for the substituted
	     user ID.

       USER  The user ID is always the effective ID (the target	user ID) after
	     an	su unless the user ID is 0 (root).

FILES
       /etc/pam.d/su  PAM configuration	for su.

EXAMPLES
       su -m operator -c poweroff
	      Starts a shell as	user operator, and runs	the command  poweroff.
	      You  will	 be asked for operator's password unless your real UID
	      is 0.  Note that the -m option is	required since user "operator"
	      does not have a valid shell by default.  In this example,	-c  is
	      passed  to  the  shell of	the user "operator", and is not	inter-
	      preted as	an argument to su.
       su -m operator -c 'shutdown -p now'
	      Same as above, but the target command consists of	 more  than  a
	      single word and hence is quoted for use with the -c option being
	      passed  to the shell.  (Most shells expect the argument to -c to
	      be a single word).
       su -m -c	staff operator -c 'shutdown -p now'
	      Same as above, but the target command is run with	 the  resource
	      limits  of  the login class "staff".  Note: in this example, the
	      first -c option applies to su while the second is	an argument to
	      the shell	being invoked.
       su -l foo
	      Simulate a login for user	foo.
       su - foo
	      Same as above.
       su -   Simulate a login for root.

SEE ALSO
       csh(1), mdo(1), sh(1), group(5),	login.conf(5), passwd(5),  environ(7),
       pam_group(8)

HISTORY
       A su command appeared in	Version	1 AT&T UNIX.

FreeBSD	15.0			 June 11, 2025				 SU(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=su&manpath=FreeBSD+15.0-RELEASE+and+Ports>

home | help