Книга: Fedora™ Unleashed, 2008 edition
Temporarily Changing User Identity with the su Command
Temporarily Changing User Identity with the su
Command
What if you are also root, but are logged on as a regular user because you are performing nonadministrative tasks and you need to do something that only the super user can do? The su
command is available for this purpose.
NOTE
A popular misconception is that the su
command is short for super user; it just means substitute user. An important but often overlooked distinction is that between su
and su -
. In the former instance, you become that user but keep your own environmental variables (such as paths). In the latter, you inherit the environment of that user. This is most noticeable when you use su
to become the super user, root. Without appending the -
, you do not inherit the path variable that includes /bin
or /sbin
, so you must always enter the full path to those commands when you just su
to root.
Because almost all Linux file system security revolves around file permissions, it can be useful to occasionally become a different user with permission to access files belonging to other users or groups or to access special files (such as the communications port /dev/ttyS0
when using a modem, or the sound device /dev/audio
when playing a game). You can use the su
command to temporarily switch to another user identity, and then switch back.
TIP
It is never a good idea to use an Internet Relay Chat (IRC) client as the root user, and you might not want to run it using your regular user account. Just create a special new user just for IRC and su
to that user in a terminal widow to launch your IRC client.
The su
command spawns a new shell, changing both the UID and GID of the existing user and automatically changes the environmental variables associated with that user. This behavior is known as inheriting the environment. See Chapter 4, "Command-Line Quick Start," for more information on environmental variables.
The syntax for the su
command is this:
$ su option username arguments
The man page for su gives more details, but some highlights of the su command are as follows:
-c, --command COMMAND
pass a single COMMAND to the shell with -c
-m, --preserve-environment
do not reset environment variables
-l a full login simulation for the substituted user, the same as specifying the dash alone
You can invoke the su command in different ways that yield diverse results. By using su alone, you can become root, but you keep your regular user environment. You can verify this by using the printenv command before and after the change. Note that the working directory (you can execute pwd as a command line to print the current working directory) has not changed. By executing the following, you become root and inherit root's environ ment:
$ su -
By executing the following, you become that user and inherit the super user's environment — a pretty handy tool. (Remember: Inheriting the environment comes from using the dash in the command; omit that, and you keep your "old" environment.) To become another user, specify a different user's name on the command line:
$ su - other_user
When leaving an identity to return to your usual user identity, use the exit
command. For example, while logged on as a regular user, use this:
$ su -
The system prompts for a password:
Password:
When the password is entered correctly, the root user's prompt appears:
#
To return to the regular user's identity, just enter the following:
# exit
This takes you to the regular user's prompt:
$
If you need to allow other users access to certain commands with root privileges, it is necessary to give them the root password so that they can use su
— that definitely is not a secure solution. The next section describes a more flexible and secure method of allowing normal users to perform selected root tasks.
- 4.4.4 The Dispatcher
- About the author
- Chapter 7. The state machine
- Chapter 15. Graphical User Interfaces for Iptables
- Appendix A. Detailed explanations of special commands
- Appendix E. Other resources and links
- Example NAT machine in theory
- Using Double Quotes to Resolve Variables in Strings with Embedded Spaces
- The final stage of our NAT machine
- User-land setup
- Compiling the user-land applications
- User specified chains