|
Chapter 22 File Security, Ownership, and Sharing |
|
22.22 The su Command Isn't Just for the Superuser
System administrators use the su command to become the superuser ( 1.24 ) . But you can use it for lots more:
-
Become another user temporarily, without logging off your account.
-
Become another user without tying up another terminal port.
-
Switch between multiple users any time (on systems with job control).
-
Do a "quick login" to another user's account, especially when the system is busy.
When you type:
youraccount%suwhoeverPassword: whoever%
UNIX starts a
subshell (
38.4
)
that runs as the user
whoever
.
After you use the
cd
command to go to the user's home directory, you can
run commands as if you'd logged into that account (more or less... see below).
22.22.1 Ending or Suspending
End the subshell and go back to the account where you typed
su
with the
exit
(
38.4
)
command or a
CTRL-d.
Or, on systems with
job control (
12.8
)
,
you can stop the subshell temporarily and go back to the account where you
started the
su
.
To do that, type
suspend
if
whoever
's shell has job control
(most shells do); otherwise, enter
CTRL-z
at the shell prompt.
NOTE: If the su subshell doesn't have job control but your starting shell does, entering CTRL-z to any command you run from the subshell will stop the command and the subshell .
You can use suspend to start multiple su sessions from the same shell. You can go back to your original login, from any of those sessions, without losing your shell history, current directory, etc. Because these shells run on the same tty ( 3.8 ) as your login shell, su doesn't tie up other tty/pty ports like multiple logins or multiple windows can. This is helpful on busy machines with lots of users.
On any UNIX system, you can type
exit
(or use
CTRL-d)
to go back
to the original login.
But on systems with job control, you can
su
to several other users and
jump back to your original login at any time.
Job control lets you suspend an
su
and go back to the
place you left off without typing another
su
(and password).
Many shells have a
suspend
command that lets you do that.
On other shells, you may be able to enter
CTRL-z
(your job suspend
character) or make a command
alias (
10.4
)
to stop the current shell:
kill $$ |
alias suspend='kill -STOP $$' |
|---|
Here's a demo. I'm logged in to the account jerry on the computer wheeze . I've su ed to the superuser, sarah , and manuals accounts, too. I'm using job control to switch users:
jerry@wheeze%jobs[1] Stopped su [2] - Stopped su sarah [3] + Stopped su manuals jerry@wheeze%fgsu manuals ... Do stuff as manuals ... manuals@wheeze%suspendStopped jerry@wheeze%fg %1su wheeze# ... Do stuff as root ... wheeze#suspendStopped jerry@wheeze%
I use that so much that I've made a single-letter alias ( 10.2 ) named z that does a suspend .
22.22.2 Who Are You Now?
|
whoami
id |
It's easier to jump between accounts if the shells'
prompts (
7.1
)
have the username
in them, as shown above.
If not,
use the command
whoami
or
id
to see which user you are.
Your system should have one or both; both GNU versions are on the
CD-ROM. Also, to see your original login name (the account where you started the
su
), try
who am i
(with spaces). |
|---|
22.22.3 Problems You Might Have
Some System V versions don't change the environment variable
HOME
(
LOGDIR
) (
14.11
)
to the right value for the account you
su
to.
That means a
cd
command will take you to the home directory of
your original login, not the home directory of your
su
ed account.
Also, a C shell you start on the other account won't read your
.cshrc
file.
The best fix for that is a shell script named
su
that sets the variable
for you.
The script is run by the
C shell
:-(
(
47.2
)
because
csh
has the
~
(tilde) operator (
14.11
)
for finding the account's home directory.
Add this script to a directory before
/bin
in your path (
8.7
)
or make an alias or shell function that runs the script instead of the standard
su
.
x !~ exec :q |
#!/bin/csh -f
# su - fix incorrect $HOME and USER with system 'su' command
foreach arg ($argv)
# find first non-option argument
if ("x$arg" !~ x-*) then
setenv HOME ~$arg
setenv USER $arg
exec /bin/su $argv:q
endif
end
echo "$0 ERROR: can't find username."
exit 1
|
|---|
Another workaround for that is an alias with the name of the account I'm su ing to:
(..) |
alias randi '(setenv HOME ~randi; setenv USER randi; su randi)' |
|---|
There's another problem that can happen on any version of UNIX:
the account you
su
to
doesn't have permission (
22.2
)
to access the current directory where you ran the
su
command.
Then, you may get an error like
getwd: can't stat .
from the C shell
on the account you
su
to.
Or you may get no error but the
su
will fail.
The
fix for both problems is to
cd
to a world-access directory like
/
or
/tmp
before you run
su
.
An alias can make that easy:
\su |
alias su '(cd /; \su \!*)' |
|---|
You can also add the
cd /
command to this shell script if you want.
If the account you
su
to runs the C shell (and you don't use the
-f
option--see below), it will read the
.cshrc
file.
If that
.cshrc
has hardcoded pathnames or commands that only the
other account can run, the commands might fail.
That can cause a variety of "fun" problems.
Try replacing hardcoded pathnames like
/home/
oldacct
/bin
with paths that use account-specific
variables like
$home/bin
,
~/bin
, and so on.
Plain
su
whoever
doesn't read a
C shell user's
.login
file or a Bourne shell user's
.profile
.
Using
su -
whoever
(see the section "Other su
Features" at the end of this chapter) solves
that,
but you can't suspend an
su -
shell (at least not on my systems).
Finally, because the
su
command runs in a
subshell (
38.4
)
,
environment variables (
6.1
)
set in the account you
su
from will be passed into
the subshell.
That can be good or bad.
For instance, your favorite
EDITOR (
6.3
)
(
vi
, Emacs, or whatever)
can be passed to the account you
su
to.
But that account might also set a variable that you want to use.
If you're wondering what's set after you
su
, type
set
for a
list of shell variables, and either
env
or
printenv
(
6.1
)
to see environment variables.
22.22.4 Quick Changes to Other Accounts
If your system is busy, it can take time to run through all the commands
in the other user's
.cshrc
file.
The
su
command can pass arguments to the subshell it starts, though.
If the other account uses C shell, the
-f
option tells it not to read
the
.cshrc
file (for example,
su -f
whoever
).
You won't get that account's
.cshrc
setup, but you will start to work on
it sooner.
If logging in on your system takes a long time and you want to switch to another account permanently, you can exec ( 45.7 ) the su command:
%exec suwhoever
That makes a weird situation where the
who
(
51.4
)
command will show you logged
on as your original account, but you'll be running as
whoever
(the
whoami
or
id
command will tell you that).
Also, because the
su
shell isn't a
login shell (
2.8
)
,
the
logout
command
won't work; you'll need to type
exit
instead.
So,
exec su
is a little tricky-but it's fast.
22.22.5 Other su Features
The command su -e , which may also be called su -m or su -p , switches to the other user's account but keeps the environment you have now. That's handy when you're having trouble with the other user's environment or want to keep your own. (Some su s do -m by default, more or less. Use env or printenv ( 6.1 ) to see what you get.)
The command su - simulates a full login to the other account. If the other account runs the Bourne shell, the .profile will be read. For the C shell, both .cshrc and .login will be read. You can't suspend a su - subshell. When you log out though, you'll be back in your original account's shell.
-
|
|
|
|
| 22.21 How to Change File Ownership Without chown |
|
23. Removing Files |
