Administering user accounts

Accessing other accounts with su(C)

The su(C) utility (for ``superuser'') can be used to switch over to another account temporarily. It is primarily used to access the root account, when it is executed without an argument. Otherwise, it is used in this form:

su username

su prompts for the account password, and if it is correct, a Bourne shell is started under the other account. Transitions with su do not affect the login user ID (LUID), so login and audit records remain accurate.

If a dash (-) is included in the command (su -), the environment for that user is executed (including login shell, home directory, and so forth), making it essentially the same as logging in as that user. To exit the shell, enter exit or press <Ctrl>D and you are returned to your own account.

Users can su to an pseudo-user account if they own it. To access the root account (or any other account they are not responsible for), however, the user must have the su authorization. Refer to ``Assigning subsystem authorizations'' for more information.

NOTE: The Low, Traditional, and Improved security profiles assign the su authorization by default. Users can su to any account if they know the password. Under the High security profile, the su authorization is not assigned.

Logging su(C) usage

Use of the su(C) command is logged in the file /usr/adm/sulog like this:

   SU 07/08 22:32 + ttyp0 mavrac-root

The entry indicates the date, time, location, and name of the account using the command. The following information is logged if an entry for SULOG appears in /etc/default/su:

   SULOG=/usr/adm/sulog