su(1)									su(1)



NAME
  su - Substitutes user ID temporarily

SYNOPSIS

  su [-f] | [-c command] | [-] [user]

FLAGS

  -c command
      Executes the specified command in the user's shell.

  -f  Prevents the user's shell initialization file from being executed by
      passing the -f option to the user's shell, thus making su start up fas-
      ter.

  -   Simulates a full login by executing the commands in either the .cshrc
      and .login files for csh or the .profile file for sh and ksh and by
      setting the current working directory to the user's home directory.

DESCRIPTION

  The su command demands the password of the specified user, and if it is
  given, changes to that user and invokes the user's shell without changing
  the current directory.

  The user environment is unchanged except for HOME and SHELL, which are
  taken from the password file for the user being substituted (see environ).
  The new user ID stays in force until the shell exits.

  If no user ID is specified, su attempts to transition to the root account.

  The process created as a result of the su does not assume the privilege
  environment of the destination user; the discretionary identity of the pro-
  cess is changed and the privileges are reduced to the intersection of the
  two users.  The power you gain is not as great as that of the superuser on
  a nonsecure system.

  Security Restrictions

  The su command fails if any lock conditions exist on the target account.
  Specifically, if the destination account was retired, if the number of
  unsuccessful login attempts exceeds the maximum allowed, if the administra-
  tive lock was applied, or the password's lifetime was exceeded, the Infor-
  mation System Security Officer (ISSO) must unlock the destination account
  before any user can log in to it or use su to transition to it.  The base
  privileges of the new process are adjusted to the intersection of those of
  the source and destination accounts.	Thus, you cannot gain any base
  privileges by using su.  Specifically, su to root does not gain the power
  that it once did.

  Note that command authorizations are checked against the process login user
  ID.  Thus, using su to transition to another account does not gain you that
  account's command authorizations.  Similarly, the new process's kernel
  authorizations are set to the intersection of the source and target
  account.  The system's audit subsystem audits your actions relative to the
  login user ID.


  Security Configuration

  The su command is modified in all security configurations of the system.

SECURITY NOTE

  This security-sensitive command uses the SIA (Security Integration Archi-
  tecture) routine as an interface to the security mechanisms. See the
  matrix.conf(4) reference page for more information.

RELATED INFORMATION

  Files:  sialog(4)

  Commands:  csh(1), ksh(1), sh(1)