Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ su(1) — CX/UX 6.20

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

env(1)

login(1)

sh(1)

passwd(4)

profile(4)

environ(5)

su(1)

NAME

su − become super-user or another user

SYNOPSIS

su [ − ] [ name [ arg ... ] ]

DESCRIPTION

su allows one to become another user without logging off.  The default user name is root (i.e., super-user). 

To use su, the appropriate password must be supplied (unless one is already root).  If the password is correct, su will execute a new shell with the real and effective user ID set to that of the specified user.  If the specified user has an access vector defined in /etc/acc_vector, the invoking user will execute with that access vector also.  The new shell will be the optional program named in the shell field of the specified user’s password file entry (see passwd(4)), or /bin/sh if none is specified (see sh(1)).  To restore normal user ID privileges, type an EOF (cntrl-d) to the new shell.

Any additional arguments given on the command line are passed to the program invoked as the shell.  When using programs like sh(1), an arg of the form −c string executes string via the shell and an arg of −r will give the user a restricted shell. 

The following statements are true only if the optional program named in the shell field of the specified user’s password file entry is like sh(1).  If the first argument to su is a −, the environment will be changed to what would be expected if the user actually logged in as the specified user.  This is done by invoking the program used as the shell with an arg0 value whose first character is −, thus causing first the system’s profile (/etc/profile) and then the specified user’s profile (.profile in the new HOME directory) to be executed.  Otherwise, the environment is passed along with the possible exception of $PATH, which is set to /bin:/etc:/usr/bin:/usr/ucb for root.  Note that if the optional program used as the shell is /bin/sh, /bin/ksh or /bin/csh, the user’s .profile or .login can check arg0 for −su to determine if it was invoked by su(1).  If the user’s program is other than one of these standard shells, then the program is invoked with an arg0 of -program by both login(1) and su(1). 

All attempts to become another user using su are logged in the log file /usr/adm/sulog. 

SECURITY FEATURES

The su command can be invoked only while operating at the system level (hierarchical level 0) or if invoked by a process operating with superuser rights (e.g.  cron(1M), or init(1M)).  By manipulating user minimum clearances, the su command can be restricted to only authorized administrative users.  By manipulating port minimum clearances, the su command can be further restricted to authorized users operating on authorized terminals.  It is possible by these mechanisms, for example, to restrict the command to security officer operating at the system console. 

Superuser Considerations

Combined with the login(1) restriction against superuser login, the su restriction to system level users assures that no user can function as superuser unless the user is a) logged in on a port with a minimum device clearance of system, b) has identified him/herself by login with her/his personal password, c) is currently operating at a system level (hierarchical level 0), and d) knows the superuser password. 

Further, when granting superuser rights to an interactive user, the su command displays a special warning message reminding the user of his/her duty to maintain the integrity of security labels while operating as superuser.  Superuser has the ability to access any file on the system, overriding all mandatory and discretionary access controls.  When operating as superuser, all output (to screen, printer, etc.)  should be considered "System High" until properly reviewed.  Obviously, no user should be allowed to operate as superuser unless that individual is cleared to "System High" and is trusted to properly label any and all files or output generated while operating as superuser. 

If operating as superuser via an AT&T 630/MTG terminal using the 630/SX security enhancements, the window label is changed to "System High" to further remind the user that all information displayed is potentially sensitive at the highest level allowed on the system. 

Operating Privilege

By default, su sets the user’s current operating privilege to the target user’s login privilege (GID).  If the target user (or pseudo-user) is effectively superuser, this default is taken without further notice.  This is required for compatibility with various administrative scripts (the SA subsystem, shutdown, etc.) which assume the privilege specified in the /etc/passwd file is in effect.  Either the newgrp(1) or the newpriv(1SX) command can be used to select any other privilege once the user is operating as superuser. 

If invoked interactively to substitute another user’s identify for administrative or maintenance purposes, su reports the target user’s current default and requests the name of any other privilege desired if the default is not desired.  If the target user is not authorized for the privilege requested, su will exit with an informative message.  Note: the newpriv command cannot be used to select a new privilege while operating via su as the target user.  (See the diagnostics section of newpriv(1SX).) 

Device (and Window) Labels

If the target user is superuser, the terminal (and window) are labeled "System High" in spite of the fact that the current operating privilege defaults (by convention and for compatibility) to "System Low".  If the target user or pseudo-user is not effectively superuser, the su command relabels the user’s terminal to reflect the current operating label.  Under 630/SX, this is reflected as usual in the label displayed in the window frame. 

Shadow Password File

This command uses the security enhanced getpwent(3C) function to access the true (unsanitized) version of the /etc/passwd file.  This eliminates the possibility of the ordinary user writing a program to "guess" passwords without going through privileged (audited) commands such as su, passwd and login. 

Physical Security Considerations

The changes to su and login are designed to allow the restriction of all superuser activity to a) set-user-id commands identified as part of the Trusted Computing Base, and b) auditable operations performed on a physically secure port.  For maximum security, only the console port should be cleared to the system level. 

Because of the special maintenance and administrative commands available at the system console (especially when in firmware mode or single-user mode), maximum security requires physical protection of the system, the console port, and the system console itself.  For maximum security, it is also recommended that an independent, tamper-proof mechanism be used to monitor and record all console communications out-board of the system. 

EXAMPLES

To become user bin while retaining your previously exported environment, execute:

su bin

To become user bin but change the environment to what would be expected if bin had originally logged in, execute:

su - bin

To execute command with the temporary environment and permissions of user bin, type:

su - bin -c "command args"

FILES

/etc/passwdsystem’s password file
/etc/profilesystem’s profile
$HOME/.profileuser’s profile for /bin/sh, /bin/ksh
$HOME/.loginuser’s login file for /bin/csh
/usr/adm/suloglog file

SEE ALSO

env(1), login(1), sh(1). 
passwd(4), profile(4), environ(5) in the CX/UX Programmer’s Reference Manual. 

CX/UX User’s Reference Manual

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026