Su (Unix)

Last updated
su
Original author(s)
Developer(s) AT&T Bell Laboratories
Initial releaseNovember 3, 1971;51 years ago (1971-11-03)
Operating system Unix and Unix-like
Type Command

The Unix command su, which stands for 'substitute user' [1] [2] (or historically 'superuser' [3] [4] ), is used by a computer user to execute commands with the privileges of another user account. When executed it invokes a shell without changing the current working directory or the user environment.

Contents

When the command is used without specifying the new user id as a command line argument, it defaults to using the superuser account (user id 0) of the system.

History

The command su, including the Unix permissions system and the setuid system call, was part of Version 1 Unix. Encrypted passwords appeared in Version 3. [5] The command is available as a separate package for Microsoft Windows as part of the UnxUtils collection of native Win32 ports of common GNU Unix-like utilities. [6]

The su command was removed from GNU coreutils as of release 8.18 (2012-08-12) [7] and is currently included in the util-linux package.

Usage

When run from the command line, su asks for the target user's password, and if authenticated, grants the operator access to that account and the files and directories that account is permitted to access.

john@localhost:~$ sujane Password:jane@localhost:/home/john$ exitlogoutjohn@localhost:~$

When used with a hyphen (su -) it can be used to start a login shell. In this mode users can assume the user environment of the target user.

john@localhost:~$ su-jane Password:jane@localhost:~$

The command sudo is related, and executes a command as another user but observes a set of constraints about which users can execute which commands as which other users (generally in a configuration file named /etc/sudoers, best editable by the command visudo ). Unlike su, sudo authenticates users against their own password rather than that of the target user (to allow the delegation of specific commands to specific users on specific hosts without sharing passwords among them and while mitigating the risk of any unattended terminals).

Some Unix-like systems implement the user group wheel , and only allow members to become root with su. [8] This may or may not mitigate these security concerns, since an intruder might first simply break into one of those accounts. GNU su, however, does not support the group wheel for philosophical reasons. Richard Stallman argues that because the group would prevent users from utilizing root passwords leaked to them, the group would allow existing admins to ride roughshod over ordinary users. [9]

See also

Further reading

Related Research Articles

In Unix and Unix-like operating systems, chmod is the command and system call used to change the access permissions and the special mode flags of file system objects. Collectively these were originally called its modes, and the name chmod was chosen as an abbreviation of change mode.

uniq is a utility command on Unix, Plan 9, Inferno, and Unix-like operating systems which, when fed a text file or standard input, outputs the text with adjacent identical lines collapsed to one, unique line of text.

ls Command to list files and directories in Unix and Unix-like operating systems

In computing, ls is a command to list computer files and directories in Unix and Unix-like operating systems. It is specified by POSIX and the Single UNIX Specification.

basename is a standard computer program on Unix and Unix-like operating systems. When basename is given a pathname, it will delete any prefix up to the last slash ('/') character and return the result. basename is described in the Single UNIX Specification and is primarily used in shell scripts.

uname Standard UNIX utility that prints name and other details about the machine

uname is a computer program in Unix and Unix-like computer operating systems that prints the name, version and other details about the current machine and the operating system running on it.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role based security model, any user with the role of superuser can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

passwd Tool to change passwords on Unix-like OSes

passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.

join is a command in Unix and Unix-like operating systems that merges the lines of two sorted text files based on the presence of a common field. It is similar to the join operator used in relational databases but operating on text files.

tr (Unix) Unix text formatting utility

tr is a command in Unix, Plan 9, Inferno, and Unix-like operating systems. It is an abbreviation of translate or transliterate, indicating its operation of replacing or removing specific characters in its input data set.

wc (Unix) Unix command utility

wc is a command in Unix, Plan 9, Inferno, and Unix-like operating systems. The program reads either standard input or a list of computer files and generates one or more of the following statistics: newline count, word count, and byte count. If a list of files is provided, both individual file and total statistics follow.

sudo Command on Unix systems to temporarily assume root privileges

sudo is a program for Unix-like computer operating systems that enables users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do", as that was all it did, and it is its most common usage; however, the official Sudo project page lists it as "su 'do'". The current Linux manual pages for su define it as "substitute user", making the correct meaning of sudo "substitute user, do", because sudo can run a command as other users as well.

The Linux and Unix access rights flags setuid and setgid allow users to run an executable with the file system permissions of the executable's owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.

rm (Unix) Unix command utility

rm is a basic command on Unix and Unix-like operating systems used to remove objects such as computer files, directories and symbolic links from file systems and also special files such as device nodes, pipes and sockets, similar to the del command in MS-DOS, OS/2, and Microsoft Windows. The command is also available in the EFI shell.

In computing, tee is a command in command-line interpreters (shells) using standard streams which reads standard input and writes it to both standard output and one or more files, effectively duplicating its input. It is primarily used in conjunction with pipes and filters. The command is named after the T-splitter used in plumbing.

yes (Unix) Unix command

yes is a command on Unix and Unix-like operating systems, which outputs an affirmative response, or a user-defined string of text, continuously until killed.

test is a command-line utility found in Unix, Plan 9, and Unix-like operating systems that evaluates conditional expressions. test was turned into a shell builtin command in 1981 with UNIX System III and at the same time made available under the alternate name [.

In computing, sleep is a command in Unix, Unix-like and other operating systems that suspends program execution for a specified time.

whoami

In computing, whoami is a command found on most Unix-like operating systems, Intel iRMX 86, every Microsoft Windows operating system since Windows Server 2003, and on ReactOS. It is a concatenation of the words "Who am I?" and prints the effective username of the current user when invoked.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

References

  1. "su(1) - Linux manual page". April 2, 2021. su - run a command with substitute user and group ID
  2. "Unix Programmer's Manual, Seventh Edition, Volume 1" (PDF). January 1, 1979. p. 174. Archived (PDF) from the original on Jan 20, 2022. su - substitute user id temporarily
  3. "Unix Programmer's Manual" (PDF). November 3, 1971. p. 17. Archived (PDF) from the original on March 17, 2022. su -- become privileged user... su allows one to become the super-user.
  4. "Unix Programmer's Manual - Table of Contents" (PDF). November 3, 1971. Archived (PDF) from the original on March 17, 2022. su: become super-user
  5. McIlroy, M. D. (1987). A Research Unix reader: offticles annotated excerpts from the Programmer's Manual, 1971–1986 (PDF) (Technical report). CSTR. Bell Labs. 139.
  6. "Native Win32 ports of some GNU utilities". unxutils.sourceforge.net.
  7. "NEWS". GitHub . 17 September 2022.
  8. Levi, Bozidar (2002). UNIX Administration: A Comprehensive Sourcebook for Effective Systems and Network Management . CRC Press. pp.  207. ISBN   0-8493-1351-1.
  9. "Why GNU su does not support the 'wheel' group". Archived from the original on June 21, 2021. Retrieved May 30, 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.