su Command

su Command  su 命令

Purpose  目的

       Changes the user ID associated with a session. 更改当前用户ID 关联session

Syntax  语法

       su [ - ] [ Name [ Argument ... ] ]

Description 描述

       The su command changes user credentials to those of the root user or to the user specified by the Name parameter, and then initiates a new session. The user name may
       include a DCE cell specification. Note: The root user is not required to satisfy the Distributed Computing Environment (DCE) authentication when switching to a DCE
       user. In this case, the user's DCE credentials are not gained.

       Any arguments, such as flags or parameters, that are specified by the Arguments parameter must relate to the login shell defined for the user specified by the Name
       parameter. These arguments are passed to the specified user's login shell. For example, if the login shell for user Fred is /usr/bin/csh, you can include any of the
       flags for the csh command, such as the -f flag. When the su command runs, it passes the -f flag to the csh command. When the csh command runs, the -f flag omits the
       .cshrc startup script.

       The following functions are performed by the su command:
       account checking
            Validates the user account to be certain it exists, that it is enabled for the su command, that the current user is in a group permitted to switch to this account
            with the su command, and that it can be used from the current controlling terminal.
       user authentication
            Validates the user's identity, using the system-defined primary authentication methods for the user. If a password has expired, the user must supply a new
            password.
       credentials establishment
            Establishes initial user credentials, using the values in the user database. These credentials define the user's access rights and accountability on the system.
       session initiation
            If the - flag is specified, the su command initializes the user environment from the values in the user database and the /etc/environment file. When the - flag is
            not used, the su command does not change the directory.

       These functions are performed in the sequence shown. If one function is unsuccessful, the succeeding functions are not done. Refer to the ckuseracct, ckuserID,
       authenticate, setpcred, and setpenv subroutines for the semantics of these functions.

       To restore the previous session, type exit or press the Ctrl-D key sequence. This action ends the shell called by the su command and returns you to the previous shell,
       user ID, and environment.

       If the su command is run from the /usr/bin/tsh shell, the trusted shell, you exit from that shell. The su command does not change the security characteristics of the
       controlling terminal.

       Each time the su command is executed, an entry is made in the /var/adm/sulog file. The /var/adm/sulog file records the following information: date, time, system name,
       and login name. The /var/adm/sulog file also records whether or not the login attempt was successful: a + (plus sign) indicates a successful login, and a - (minus sign)
       indicates an unsuccessful login. Note: Successful use of the su command resets the unsuccessful_login_count attribute in the /etc/security/lastlog file only if the
       user's rlogin and login attributes are both set to false in /etc/security/user. Otherwise, the su command doesn't reset the unsuccessful_login_count, because the
       administrator often uses the su command to fix user account problems. The user is able to reset the attribute through a local or remote login.

Flags

       -
            Specifies that the process environment is to be set as if the user had logged in to the system using the login command. Nothing in the current environment is
            propagated to the new shell.

Security

       The su command is a PAM-enabled application with a service name of su. System-wide configuration to use PAM for authentication is set by modifying the value of the
       auth_type attribute, in the usw stanza of /etc/security/login.cfg, to PAM_AUTH as the root user.

       The authentication mechanisms used when PAM is enabled depend on the configuration for the su service in /etc/pam.conf. The su command requires /etc/pam.conf entries
       for the auth, account, password, and session module types. In order for the su command to exhibit a similar behavior through PAM authentication as seen in standard AIX
       authentication, the pam_allowroot module must be used as sufficient and called before pam_aix in both the auth and account su service stacks. Listed below is a
       recommended configuration in /etc/pam.conf for the su service:

       #
       # AIX su configuration
       #
       su auth sufficient /usr/lib/security/pam_allowroot
       su auth required /usr/lib/security/pam_aix
       su account sufficient /usr/lib/security/pam_allowroot
       su account required /usr/lib/security/pam_aix
       su session required /usr/lib/security/pam_aix
       su password required /usr/lib/security/pam_aix

Examples
       1    To obtain root user authority, type:

            su

            This command runs a subshell with the effective user ID and privileges of the root user. You will be asked for the root password. Press End-of-File, Ctrl+D key
            sequence, to end the subshell and return to your original shell session and privileges.
       2    To obtain the privileges of the jim user, type:

            su jim

            This command runs a subshell with the effective user ID and privileges of jim.
       3    To set up the environment as if you had logged in as the jim user, type: su - jim

            This starts a subshell using jim's login environment.
       4    To run the backup command with root user authority and then return to your original shell, type:

            su root "-c /usr/sbin/backup -9 -u"

            This runs the backup command with root user authority within root's default shell. You must give the correct root password when queried for the command to execute.

Files

       /usr/bin/su
            Contains the su command.
       /etc/environment
            Contains user environment values.
       /etc/group
            Contains the basic group attributes.
       /etc/passwd
            Contains the basic user attributes.
       /etc/security/user
            Contains the extended attributes of users.
       /etc/security/environ
            Contains the environment attributes of users.
       /etc/security/limits
            Contains the process resource limits of users.
       /etc/security/passwd
            Contains password information.
       /var/adm/sulog

            Contains information about login attempts.

Related Information

       The bsh command, csh command, getty command, ksh command, login command, setgroups command, setsenv command, tsh command, and tsm command.

       The authenticate subroutine, ckuseracct subroutine, ckuserID subroutine, setpcred subroutine, setpenv subroutine.

       For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security
       Administration in AIX 5L Version 5.3 Security Guide.