<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+<!--
+ Copyright (c) 1989 - 1990, Julianne Frances Haugh
+ Copyright (c) 2007 - 2008, Nicolas François
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the copyright holders or contributors may not be used to
+ endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY CONSOLE SYSTEM "login.defs.d/CONSOLE.xml">
+<!ENTITY CONSOLE_GROUPS SYSTEM "login.defs.d/CONSOLE_GROUPS.xml">
+<!ENTITY DEFAULT_HOME SYSTEM "login.defs.d/DEFAULT_HOME.xml">
+<!ENTITY ENV_HZ SYSTEM "login.defs.d/ENV_HZ.xml">
+<!ENTITY ENVIRON_FILE SYSTEM "login.defs.d/ENVIRON_FILE.xml">
+<!ENTITY ENV_PATH SYSTEM "login.defs.d/ENV_PATH.xml">
+<!ENTITY ENV_SUPATH SYSTEM "login.defs.d/ENV_SUPATH.xml">
+<!ENTITY ENV_TZ SYSTEM "login.defs.d/ENV_TZ.xml">
+<!ENTITY LOGIN_STRING SYSTEM "login.defs.d/LOGIN_STRING.xml">
+<!ENTITY MAIL_CHECK_ENAB SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
+<!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml">
+<!ENTITY QUOTAS_ENAB SYSTEM "login.defs.d/QUOTAS_ENAB.xml">
+<!ENTITY SULOG_FILE SYSTEM "login.defs.d/SULOG_FILE.xml">
+<!ENTITY SU_NAME SYSTEM "login.defs.d/SU_NAME.xml">
+<!ENTITY SU_WHEEL_ONLY SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml">
+<!ENTITY SYSLOG_SU_ENAB SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml">
+<!ENTITY USERGROUPS_ENAB SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
+<!-- SHADOW-CONFIG-HERE -->
+]>
<refentry id='su.1'>
- <!-- $Id: su.1.xml,v 1.22 2006/01/22 10:14:51 kloczek Exp $ -->
+ <!-- $Id$ -->
<refmeta>
<refentrytitle>su</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo class="sectdesc">User Commands</refmiscinfo>
+ <refmiscinfo class="source">shadow-utils</refmiscinfo>
+ <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>su</refname>
- <refpurpose>change user ID or become super-user</refpurpose>
+ <refpurpose>change user ID or become superuser</refpurpose>
</refnamediv>
<refsynopsisdiv id='synopsis'>
<cmdsynopsis>
<arg choice='opt'>
<replaceable>options</replaceable>
</arg>
- <arg choice='opt'>- </arg>
<arg choice='opt'>
<arg choice='plain'>
<replaceable>username</replaceable>
</arg>
- <arg choice='opt'>
- <replaceable>args</replaceable>
- </arg>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- <command>su</command> is used to become another user during a login
- session. Invoked without a username, <command>su</command> defaults to
- becoming the super user. The optional argument <option>-</option> may
+ The <command>su</command> command is used to become another user during
+ a login session. Invoked without a <option>username</option>,
+ <command>su</command> defaults to
+ becoming the superuser. The optional argument <option>-</option> may
be used to provide an environment similar to what the user would
expect had the user logged in directly.
</para>
The current environment is passed to the new shell. The value of
<envar>$PATH</envar> is reset to <filename>/bin:/usr/bin</filename>
for normal users, or <filename>/sbin:/bin:/usr/sbin:/usr/bin</filename>
- for the super user. This may be changed with the
- <emphasis>ENV_PATH</emphasis> and <emphasis>ENV_SUPATH</emphasis>
+ for the superuser. This may be changed with the
+ <option>ENV_PATH</option> and <option>ENV_SUPATH</option>
definitions in <filename>/etc/login.defs</filename>.
</para>
<varlistentry>
<term>
<option>-c</option>, <option>--command</option>
- <replaceable>SHELL</replaceable>
+ <replaceable>COMMAND</replaceable>
</term>
<listitem>
<para>
Specify a command that will be invoked by the shell using its
<option>-c</option>.
</para>
+ <para>
+ The executed command will have no controlling terminal. This
+ option cannot be used to execute interractive programs which
+ need a controlling TTY.
+ <!-- This avoids TTY hijacking when su is used to lower
+ privileges -->
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The shell that will be invoked.</para>
<para>
- The invoked shell is choosen among (higest priority first):
- <itemizedlist>
- <listitem>
- <para>The shell specified with --shell</para>
- </listitem>
- <listitem>
+ The invoked shell is chosen from (highest priority first):
+ <!--This should be an orderedlist, but lists inside another
+ list does not work well with current docbook.
+ - nekral - 2009.06.03 -->
+ <variablelist>
+ <varlistentry><term></term><listitem>
+ <para>The shell specified with --shell.</para>
+ </listitem></varlistentry>
+ <varlistentry><term></term><listitem>
<para>
If <option>--preserve-environment</option> is used, the
shell specified by the <envar>$SHELL</envar> environment
variable.
</para>
- </listitem>
- <listitem>
+ </listitem></varlistentry>
+ <varlistentry><term></term><listitem>
<para>
- The shell indicated in the /etc/passwd entry for the target
- user.
+ The shell indicated in the <filename>/etc/passwd</filename>
+ entry for the target user.
</para>
- </listitem>
- <listitem>
- <para>
- /bin/sh if a shell could not be found by any above method.
- </para>
- </listitem>
- </itemizedlist>
+ </listitem></varlistentry>
+ <varlistentry><term></term><listitem>
+ <para><filename>/bin/sh</filename> if a shell could not be
+ found by any above method.</para>
+ </listitem></varlistentry>
+ </variablelist>
</para>
<para>
If the target user has a restricted shell (i.e. the shell field of
this user's entry in <filename>/etc/passwd</filename> is not
- specified in <filename>/etc/shell</filename>), then the
+ listed in <filename>/etc/shells</filename>), then the
<option>--shell</option> option or the <envar>$SHELL</envar>
- environment variable won't be taken into account unless
- <command>su</command> is called by the root.
+ environment variable won't be taken into account, unless
+ <command>su</command> is called by root.
</para>
</listitem>
</varlistentry>
<option>--preserve-environment</option>
</term>
<listitem>
- <para>Preserve the current environment.</para>
+ <para>
+ Preserve the current environment, except for:
+ <variablelist>
+ <varlistentry>
+ <term><envar>$PATH</envar></term>
+ <listitem>
+ <para>
+ reset according to the
+ <filename>/etc/login.defs</filename> options
+ <option>ENV_PATH</option> or
+ <option>ENV_SUPATH</option> (see below);
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><envar>$IFS</envar></term>
+ <listitem>
+ <para>
+ reset to
+ <quote><space><tab><newline></quote>,
+ if it was set.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
<para>
If the target user has a restricted shell, this option has no
effect (unless <command>su</command> is called by root).
</para>
+ <para>
+ Note that the default behavior for the environment is the
+ following:
+ <variablelist>
+ <varlistentry><term></term><listitem>
+ <para>
+ The <envar>$HOME</envar>, <envar>$SHELL</envar>,
+ <envar>$USER</envar>, <envar>$LOGNAME</envar>,
+ <envar>$PATH</envar>, and <envar>$IFS</envar>
+ environment variables are reset.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry><term></term><listitem>
+ <para>
+ If <option>--login</option> is not used, the
+ environment is copied, except for the variables above.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry><term></term><listitem>
+ <para>
+ If <option>--login</option> is used, the
+ <envar>$TERM</envar>, <envar>$COLORTERM</envar>,
+ <envar>$DISPLAY</envar>, and
+ <envar>$XAUTHORITY</envar> environment variables are
+ copied if they were set.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry condition="no_pam"><term></term><listitem>
+ <para>
+ If <option>--login</option> is used, the
+ <envar>$TZ</envar>, <envar>$HZ</envar>, and
+ <envar>$MAIL</envar> environment
+ variables are set according to the
+ <filename>/etc/login.defs</filename>
+ options <option>ENV_TZ</option>,
+ <option>ENV_HZ</option>, <option>MAIL_DIR</option>, and
+ <option>MAIL_FILE</option> (see below).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry condition="no_pam"><term></term><listitem>
+ <para>
+ If <option>--login</option> is used, other environment
+ variables might be set by the
+ <option>ENVIRON_FILE</option> file (see below).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry condition="pam"><term></term><listitem>
+ <para>
+ Other environments might be set by PAM modules.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
+ <refsect1 id='configuration'>
+ <title>CONFIGURATION</title>
+ <para>
+ The following configuration variables in
+ <filename>/etc/login.defs</filename> change the behavior of this
+ tool:
+ </para>
+ <variablelist>
+ &CONSOLE;
+ &CONSOLE_GROUPS;
+ &DEFAULT_HOME;
+ <phrase condition="no_pam">&ENV_HZ;</phrase>
+ &ENVIRON_FILE;
+ &ENV_PATH;
+ &ENV_SUPATH;
+ &ENV_TZ;
+ <phrase condition="no_pam">&LOGIN_STRING;</phrase>
+ &MAIL_CHECK_ENAB;
+ <phrase condition="no_pam">&MAIL_DIR;</phrase>
+ "AS_ENAB;
+ &SULOG_FILE;
+ &SU_NAME;
+ &SU_WHEEL_ONLY;
+ &SYSLOG_SU_ENAB;
+ <phrase condition="no_pam">&USERGROUPS_ENAB;</phrase>
+ </variablelist>
+ </refsect1>
+
<refsect1 id='files'>
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/etc/passwd</filename></term>
<listitem>
- <para>user account information</para>
+ <para>User account information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>/etc/shadow</filename></term>
<listitem>
- <para>secure user account information</para>
+ <para>Secure user account information.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><filename>/etc/login.defs</filename></term>
+ <listitem>
+ <para>Shadow password suite configuration.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
+ <refsect1 id='exit_values'>
+ <title>EXIT VALUES</title>
+ <para>
+ On success, <command>su</command> returns the exit value of the
+ command it executed.
+ </para>
+ <para>
+ If this command was terminated by a signal, <command>su</command>
+ returns the number of this signal plus 128.
+ </para>
+ <para>
+ If su has to kill the command (because it was asked to terminate,
+ and the command did not terminate in time), <command>su</command>
+ returns 255.
+ </para>
+ <para>
+ Some exit values from <command>su</command> are independent from the
+ executed command:
+ <variablelist>
+ <varlistentry>
+ <term><replaceable>0</replaceable></term>
+ <listitem>
+ <para>success (<option>--help</option> only)</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><replaceable>1</replaceable></term>
+ <listitem>
+ <para>System or authentication failure</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><replaceable>126</replaceable></term>
+ <listitem>
+ <para>The requested command was not found</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><replaceable>127</replaceable></term>
+ <listitem>
+ <para>The requested command could not be executed</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </refsect1>
+
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para><citerefentry>
<citerefentry>
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
+ <citerefentry>
+ <refentrytitle>sg</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
<citerefentry>
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
- </citerefentry>
+ </citerefentry>.
</para>
</refsect1>
</refentry>