Su (Unix)


The Unix command su, which stands for substitute user, is used by a computer user to execute commands with the privileges of another user account. When executed it invokes a shell without changing the current working directory or the user environment.
When the command is used without specifying the new user id as a command line argument, it defaults to using the superuser account of the system.

History

The command su, including the Unix permissions system and the setuid system call, was part of Version 1 Unix. Encrypted passwords appeared in Version 3.

Usage

When run from the command line, su asks for the target user's password, and if authenticated, grants the operator access to that account and the files and directories that account is permitted to access.

john@localhost:~$ su jane
Password:
jane@localhost:/home/john$ exit
logout
john@localhost:~$

When used with a hyphen it can be used to start a login shell. In this mode users can assume the user environment of the target user.

john@localhost:~$ su - jane
Password:
jane@localhost:~$

The command sudo is related, and executes a command as another user but observes a set of constraints about which users can execute which commands as which other users. Unlike su, sudo authenticates users against their own password rather than that of the target user.
Some Unix-like systems implement the user group wheel, and only allow members to become root with su. This may or may not mitigate these security concerns, since an intruder might first simply break into one of those accounts. GNU su, however, does not support the group wheel for philosophical reasons. Richard Stallman argues that because the group would prevent users from utilizing root passwords leaked to them, the group would allow existing admins to ride roughshod over ordinary users.