Difference between revisions of "Su"

From ArchWiki
Jump to: navigation, search
m (typo)
(sudo su: *removed* The wiki shouldn't give bad advice. sudo -s and -i exists for a reason.)
Line 57: Line 57:
  
 
  auth          required        pam_wheel.so use_uid
 
  auth          required        pam_wheel.so use_uid
 
===sudo su===
 
Another way to use su is with the sudo command.  For instance, if you have a user that is allowed to use sudo ((enabled in the {{Filename|/etc/sudoers}})) then you can attain a root login shell with:
 
  sudo su -
 
or a login shell for any user with
 
  sudo su - username
 

Revision as of 16:59, 2 January 2011

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Template:Article summary start Template:Article summary text Template:Article summary heading Template:Article summary text Template:Article summary end

The su command (substitute user) is used to assume the identity of another user on the system, normally root. This saves having to logout and log back in as the user you want to be. Instead, you may login as another user during your session by starting a sort of sub-session, and then logout back to your own session when done.

Usage

To assume the login of another user, pass the username that you want to become to su, as in:

# su http

for the user "http".

You will be prompted for the password of the user you are attempting to become.

If no username is passed, su assumes the root user, and the password for which you are prompted will be that of root.

Login shell

The default behavior of su is to remain within the current directory and to maintain the environmental variables of the original user (rather than switch to those of the new user).

Note the following important contrasting considerations:

It sometimes can be advantageous for a system administrator to use the shell account of an ordinary user rather than its own. In particular, occasionally the most efficient way to solve a user's problem is to log into that user's account in order to reproduce or debug the problem.
However, in many situations it is not desirable, or it can even be dangerous, for the root user to be operating from an ordinary user's shell account and with that account's environmental variables rather than from its own. While inadvertently using an ordinary user's shell account, root could install a program or make other changes to the system that would not have the same result as if they were made while using the root account. For instance, a program could be installed that could give the ordinary user power to accidentally damage the system or gain unauthorized access to certain data.

Thus, it is advisable that administrative users, as well as any other users that are authorized to use su (and it is suggested that there be very few, if any) acquire the habit of always following the su command with a space and then a hyphen. The hyphen has two effects:

  1. switches from the current directory to the home directory of the new user (e.g., to Template:Filename in the case of the root user) by logging in as that user
  2. changes the environmental variables to those of the new user as dictated by their Template:Filename. That is, if the first argument to su is a hyphen, the current directory and environment will be changed to what would be expected if the new user had actually logged on to a new session (rather than just taking over an existing session).

Thus, administrators should generally use su as follows:

$ su -

An identical result is produced by adding the username root:

$ su - root

Likewise, the same can be done for any other user (e.g. for a user named archie):

# su - archie

You may wish to add an alias to Template:Filename for this:

alias su="su -"

Security

From a security perspective, it is arguably better to setup the use of sudo instead of su. The sudo system will prompt you for your own password rather than that of the user you are attempting to become. This way you do not have to share passwords between users, and if you ever need to stop a user having access to the root (or any other account), you don't have to change the root password (which would inconvenience everyone else); you would just need to revoke that users sudo access.

su and wheel

BSD su allows only members of the "wheel" group to assume root's identity by default. This is not the default behavior of GNU su, but can be mimicked using PAM. Uncomment the appropriate line in Template:Filename:

auth           required        pam_wheel.so use_uid