su(1) DG/UX R4.11MU05 su(1)
NAME
su, assume - switch user name (become another user or role)
SYNOPSIS
su [-l macalias] [-] [name [arg ... ] ]
assume [-l macalias] [name [arg ... ] ]
DESCRIPTION
The su command lets you become another user without logging off.
The assume command is available on systems with DG/UX information
security. This command lets you become a role without logging off.
To use su on a generic DG/UX system, supply the appropriate password
(unless it's already root). The default user name is root.
On a system with DG/UX information security, if the -l option is
provided, su attempts to create the session with a process clearance
(MAC label) of macalias, if permitted by the authorizations for the
su/assume service in the A&A database. If the -l option is not
provided, su ensures that the destination user's su authorization
allows you to su at your current process clearance. If the
authorization does not allow this, su will fail. If the -l option is
not provided, assume attempts to create the session with the default
process clearance (MAC label) for that role, specified in the A&A
database. If the authorization does not allow this, assume will
fail.
On a system with DG/UX information security, in order for a non-
privileged user to be able to su to a user, that user must be
authorized for the su service in the A&A database. You will then be
prompted for a password. Enter the password associated with the
user's su service authorization. If the password is correct, su will
execute a new shell with the real and effective user ID set to that
of the specified user. Also, on a system with DG/UX information
security, privilege is set to that of the specified user. The
specified user's audit mask is OR'd into yours. (However, su does
not change your AUTHID.) The new shell will be the optional program
named in the shell field of the specified user's password file entry
(see passwd(4)), or /bin/sh if none is specified (see sh(1)). To
restore normal user ID privileges, type an EOF (Ctrl-D) to the new
shell. In addition, su attempts to reset the process directory mode
to virtual. If it cannot do so, it will also fail.
On a system with DG/UX information security, in order for a user or
role to be able to assume a role, that user/role must be authorized
for the assume service in the A&A database. Then the same processing
occurs as was described above for su.
Any additional arguments given on the command line are passed to the
program invoked as the shell. When using programs like sh(1), an arg
of the form -c string executes string via the shell and an arg of -r
will give the user a restricted shell.
The following statements are true only if the optional program named
in the shell field of the specified user's password file entry is
like sh(1):
If the - option is specified for su, the environment is changed as if
you actually logged in as the specified user. You invoke the program
used as the shell with an arg0 value whose first character is -, thus
executing first the system's profile (/etc/profile) and then the
specified user's profile (.profile in the new HOME directory).
Otherwise, the environment is passed along with the possible
exception of $PATH, which is set to /bin:/etc:/usr/bin for root.
Assume behaves like su -, in terms of setting the environment.
If the optional program used as the shell is /bin/sh, the user's
.profile can check arg0 for -sh, -su or -assume to determine if it
was invoked by login(1), su(1) or assume(1), respectively. If the
user's program is other than /bin/sh, then .profile is invoked with
an arg0 of -program by login(1), su(1) and assume(1).
All attempts to become another user using su are logged in the log
file /usr/adm/sulog. This file contains the time and date when su
was invoked, a plus sign or a minus sign indicating the success or
failure (respectively) of the su command, the user's tty, the user's
login name, and the name to which the user attempted to change.
For example, the following entry shows that user morris, at tty06,
became root at 4:41pm on June 30.
SU 06/30 16:41 + tty06 morris-root
The following entry shows an unsuccessful attempt to become root.
SU 06/24 13:55 - tty11 morris-root
EXAMPLES
To become user bin while retaining your previously exported
environment, execute:
su bin
To become user bin but change the environment to what would be
expected if bin had originally logged in, execute:
su - bin
To execute command with the temporary environment and permissions of
user bin, type:
su - bin -c "command args"
To become role sysadmin with the default MAC label, execute:
assume sysadmin
FILES
/etc/passwd System's password file
/etc/profile System's profile
$HOME/.profile User's profile
/usr/adm/sulog Log file
/etc/default/su The default parameters that live here are:
SULOG: If defined, all attempts to su to another user are
logged in the indicated file.
CONSOLE: If defined, all attempts to su to root are logged on
the console.
PATH: Default path.
SUPATH: Default path for a user invoking su to become root.
ALTSHELL: If ALTSHELL=YES, su - name will set the SHELL
environment variable to the path name of the
specified user's shell. If ALTSHELL=PRESERVE, su -
will pass along any current SHELL value. Otherwise,
su - will not set SHELL.
ALTERNATE_DIR:
If a user's home directory is unreachable, su -
places the user in this directory instead. Set
ALTERNATE_DIR=an_impossible_value or ALTERNATE_DIR=
to reject attempts to su - to a user with an
unreachable home directory. If ALTERNATE_DIR is not
set, failures when attempting to change directories
are ignored.
SEE ALSO
env(1), login(1), sh(1).
passwd(4), profile(4), environ(5).
NOTES
If you are using a system with DG/UX information security, and a
user's su password expires, you will not be able to su to that user.
Licensed material--property of copyright holder(s)