su Command

Purpose

Changes the user ID associated with a session.

Syntax

su [ - ] [ Name [ Argument ... ] ]

Description

The su command changes user credentials to those of the root user or to the user specified by the Name parameter, and initiates a new session. The user name might include a Distributed Computing Environment (DCE) cell specification.
Note: The root user is not required to satisfy the DCE authentication when switching to a DCE user. In this case, the user's DCE credentials are not required.
Any arguments, such as flags or parameters, that are specified by the Arguments parameter must relate to the login shell defined for the user specified by the Name parameter. These arguments are passed to the specified user's login shell. For example, if the login shell for user Fred is /usr/bin/csh, you can include any of the flags for the csh command, such as the -f flag. When the su command runs, it passes the -f flag to the csh command. When the csh command runs, the -f flag omits the .cshrc startup script.
Note: If the domainlessgroups attribute is set in the /etc/secvars.cfg file and if the user belongs to the Lightweight Directory Access Protocol (LDAP) domain or files domain, all the group IDs are fetched from the LDAP domain and the files domain.

The following functions are performed by the su command:

Item Description
account checking Validates the user account to be certain it exists, that it is enabled for the su command, that the current user is in a group permitted to switch to this account with the su command, and that it can be used from the current controlling terminal.
user authentication Validates the user's identity, using the system-defined primary authentication methods for the user. If a password has expired, the user must supply a new password.
credentials establishment Establishes initial user credentials, using the values in the user database. These credentials define the user's access rights and accountability on the system.
session initiation If the - flag is specified, the su command initializes the user environment from the values in the user database and the /etc/environment file. When the - flag is not used, the su command does not change the directory.

These functions are performed in the sequence shown. If one function is unsuccessful, the succeeding functions are not done. Refer to the ckuseracct, ckuserID, authenticate, setpcred, and setpenv subroutines for the semantics of these functions.

To restore the previous session, type exit or press the Ctrl-D key sequence. This action ends the shell called by the su command and returns you to the previous shell, user ID, and environment.

If the su command is run from the /usr/bin/tsh shell, the trusted shell, you exit from that shell. The su command does not change the security characteristics of the controlling terminal.

Each time the su command is executed, an entry is made in the /var/adm/sulog file. The /var/adm/sulog file records the following information: date, time, system name, and login name. The /var/adm/sulog file also records whether or not the login attempt was successful: a + (plus sign) indicates a successful login, and a - (minus sign) indicates an unsuccessful login.

Note: Successful use of the su command resets the unsuccessful_login_count attribute in the /etc/security/lastlog file only if the user's rlogin and login attributes are both set to false in /etc/security/user. Otherwise, the su command doesn't reset the unsuccessful_login_count, because the administrator often uses the su command to fix user account problems. The user is able to reset the attribute through a local or remote login.

Flags

Item Description
- Specifies that the process environment is to be set as if the user had logged in to the system using the login command. Nothing in the current environment is propagated to the new shell.
Note: This behavior is intended for compatibility with alternate UNIX shell environments where flag options are allowed ahead of the Name parameter.

Security

The su command is a PAM-enabled application with a service name of su. System-wide configuration to use PAM for authentication is set by modifying the value of the auth_type attribute, in the usw stanza of /etc/security/login.cfg, to PAM_AUTH as the root user.

The authentication mechanisms used when PAM is enabled depend on the configuration for the su service in /etc/pam.conf. The su command requires /etc/pam.conf entries for the auth, account, password, and session module types. In order for the su command to exhibit a similar behavior through PAM authentication as seen in standard AIX®authentication, the pam_allowroot module must be used as sufficient and called before pam_aix in both the auth and account su service stacks. Listed below is a recommended configuration in /etc/pam.conf for the su service:
#
# AIX su configuration
#
su auth sufficient /usr/lib/security/pam_allowroot
su auth required /usr/lib/security/pam_aix

su account sufficient /usr/lib/security/pam_allowroot
su account required /usr/lib/security/pam_aix

su session required /usr/lib/security/pam_aix

su password required /usr/lib/security/pam_aix
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
To get the full functionality of the command, besides the accessauths, the role should also have the aix.security.su authorization.
On a Trusted AIX system, when the su command is invoked with the - flag, the following conditions must be met for both sensitivity and integrity labels:
  • The current user's maximum clearance must dominate the new user's maximum clearance.
  • The new user's minimum clearance must dominate the current user's minimum clearance.
  • The current user's effective clearance must be dominated by the new user's maximum clearance and must dominate the new user's minimum clearance.

Examples

  1. To obtain root user authority, enter one of the following commands:
    su
    This command runs a subshell with the effective user ID and privileges of the root user. You will be asked for the root password. Press End-of-File, Ctrl+D key sequence, to end the subshell and return to your original shell session and privileges.
    su --
    This command runs a subshell with the effective user ID and privileges of the root user. Enter the root password, when prompted. Press End-of-File, Ctrl+D key sequence, to end the subshell and return to your original shell session and privileges.
  2. To obtain the privileges of the jim user, enter the following command:
    su jim
    This command runs a subshell with the effective user ID and privileges of jim.
  3. To set up the environment as if you had logged in as the jim user, enter:
    su  - jim
    This starts a subshell using jim's login environment.
  4. To run the backup command with root user authority and then return to your original shell, enter:
    su root "-c /usr/sbin/backup -9 -u"
    This command runs the backup command with root user authority within root's default shell. You must give the correct root password when queried for the command to execute.
  5. Enter one of the following commands to change the user credentials of the current session to root user:

    su -

    su - root

    su - --

    The preceding commands start a subshell by using the root user's login environment.

Files

Item Description
/usr/bin/su Contains the su command.
/etc/environment Contains user environment values.
/etc/group Contains the basic group attributes.
/etc/passwd Contains the basic user attributes.
/etc/security/user Contains the extended attributes of users.
/etc/security/environ Contains the environment attributes of users.
/etc/security/limits Contains the process resource limits of users.
/etc/security/passwd Contains password information.
/var/adm/sulog Contains information about login attempts.
/etc/security/enc/LabelEncodings Contains label definitions for the Trusted AIX system.