|HP-UX Reference > S
HP-UX 11i Version 3: February 2007
su — switch user
The su (set user or superuser) command allows one user to become another user without logging out.
username is the name of a user defined in the /etc/passwd file (see passwd(4)). The default name is root (that is, superuser).
To use su, the appropriate password must be supplied unless the current user is superuser and is not using the -d option. If a valid password is entered, su executes a new shell with the real and effective user ID, real and effective group ID, and group access list set to that of the specified user. The new shell is the one specified in the shell field of the new user's entry in the password file, /etc/passwd.
The arguments are passed along to the new shell for execution, permitting the user to run shell procedures with the new user's privileges.
When exiting from the new shell, the previous username and environment are restored.
All attempts to become another user are logged in /var/adm/sulog, including failures. Successful attempts are flagged with +; failures, with -. They are also logged with syslog() (see syslog(3C)).
su recognizes the following options:
If the - option is specified, the new shell starts up as if the new user had initiated a new login session. Exceptions are as follows:
If the - option is omitted, the new shell starts as if a subshell was invoked. Exceptions are as follows:
HP-UX Smart Card Login
If the user account is configured to use a Smart Card, the user password is stored in the card. This password has characteristics identical to a normal password stored on the system.
In order to su using a Smart Card account, the Smart Card from the destination user account must be inserted into the Smart Card reader. The user is prompted for a PIN instead of a password during authentication.
The password is retrieved automatically from the Smart Card when a valid PIN is entered. Therefore, it is not necessary to know the password, only the PIN.
The card is locked if an incorrect PIN is entered three consecutive times. It may be unlocked only by the card issuer.
Except for user root, users cannot use su to change to an account that has been locked because of expired passwords or other access restrictions.
Refer to the /etc/default/security file in the security(4) manual page for detailed information on configurable parameters that affect the behavior of this command. Currently, the supported parameters for the su command are:
International Code Set Support
Characters in the 7-bit US-ASCII code sets are supported in login names (see ascii(5)).
Become user bin while retaining the previously exported environment:
Become user bin but change the environment to what would be expected if bin had originally logged in:
su - bin
Execute the command, 'echo hello', using the temporary environment and permissions of user bin. In this example, user bin's shell is invoked with the arguments -c 'echo hello'.
su bin -c 'echo hello'
Become user DCEPrincipal in the DCE environment:
su -d DCEPrincipal
After a valid password is supplied, su uses information from /etc/passwd and /etc/logingroup to determine the user's group ID and group access list. If /etc/group is linked to /etc/logingroup, and group membership for the user trying to log in is managed by the Network Information Service (NIS), and no NIS server is able to respond, su waits until a server does respond.
Pluggable Authentication Modules (PAM)
PAM is an Open Group standard for user authentication, password modification, and account validation. In particular, pam_authenticate() is invoked to perform all functions related to su. This includes password retrieval, account validation, and error message displays.