su command

The su command allows root to become any other user (without password) and any non-root user to become somebody else (including root) provided they know its password. It also allows for the execution of commands as another user:

$ su
Password:

The command above switched a user session to root. However, it did not change its present working directory or any of the environment variables. If we want to achieve that we have to run “su –”:

# su – oracle

With the “” sign (or “-l” or “–login”), not only do we switch shell to that of another user, but we also move to its HOME folder, reset the HOME, SHELL, USER, LOGNAME & PATH variables and load its environment files (e.g. .bash_profile).

We can also switch to another user with a shell that is different from its default one with the “-s” flag:

# su – oracle -s /bin/ksh

And we can also execute a command as another user with the “-c” flag:

$ su -­c “find / ­nouser ­delete”
$ su oracle -­c “find ~ -­name “*.tmp” -­delete”

There are 3 files we can use to change the way su can be used: 

  •         /etc/pam.d/su            → default PAM configuration file

  •         /etc/pam.d/su­l           → PAM configuration file if ­­login is specified

  •         /etc/login.defs            → global logindef config file    

The file /etc/default/su might still be used, but all the settings that were available there in previous versions of Linux can now be used in /etc/login.defs (see User administration -> Configuration files).

As for the files underneath /etc/pam.d we shall see at the end of this chapter how the Pluggable Authentication Modules work and what we can do to tighten security.


<< setuid, setdig & sticky bit          sudo command >>