 | Chapter 22 File Security, Ownership, and Sharing |  |
| Chapter 22 File Security, Ownership, and Sharing | |
System administrators use the su command to become the superuser (1.24). But you can use it for lots more:
Become another user temporarily, without logging off your account.
Become another user without tying up another terminal port.
Switch between multiple users any time (on systems with job control).
Do a "quick login" to another user's account, especially when the system is busy.
When you type:
youraccount%suwhoeverPassword: whoever%
UNIX starts a
subshell (38.4)
that runs as the user whoever.
After you use the cd command to go to the user's home directory, you can
run commands as if you'd logged into that account (more or less... see below).
End the subshell and go back to the account where you typed su with the
exit (38.4)
command or a
CTRL-d.
Or, on systems with
job control (12.8),
you can stop the subshell temporarily and go back to the account where you
started the su.
To do that, type suspend if whoever's shell has job control
(most shells do); otherwise, enter
CTRL-z
at the shell prompt.
NOTE: If the su subshell doesn't have job control but your starting shell does, entering CTRL-z to any command you run from the subshell will stop the command and the subshell.
You can use suspend to start multiple su sessions from the same shell. You can go back to your original login, from any of those sessions, without losing your shell history, current directory, etc. Because these shells run on the same tty (3.8) as your login shell, su doesn't tie up other tty/pty ports like multiple logins or multiple windows can. This is helpful on busy machines with lots of users.
On any UNIX system, you can type exit (or use
CTRL-d)
to go back
to the original login.
But on systems with job control, you can su to several other users and
jump back to your original login at any time.
Job control lets you suspend an su and go back to the
place you left off without typing another su (and password).
Many shells have a suspend command that lets you do that.
On other shells, you may be able to enter
CTRL-z
(your job suspend
character) or make a command
alias (10.4)
to stop the current shell:
kill $$ | alias suspend='kill -STOP $$' |
|---|
Here's a demo. I'm logged in to the account jerry on the computer wheeze. I've sued to the superuser, sarah, and manuals accounts, too. I'm using job control to switch users:
jerry@wheeze%jobs[1] Stopped su [2] - Stopped su sarah [3] + Stopped su manuals jerry@wheeze%fgsu manuals ...Do stuff as manuals... manuals@wheeze%suspendStopped jerry@wheeze%fg %1su wheeze# ...Do stuff as root... wheeze#suspendStopped jerry@wheeze%
I use that so much that I've made a single-letter alias (10.2) named z that does a suspend.
| whoami id | It's easier to jump between accounts if the shells'
prompts (7.1)
have the username
in them, as shown above.
If not,
use the command whoami or id to see which user you are.
Your system should have one or both; both GNU versions are on the
CD-ROM. Also, to see your original login name (the account where you started the
su), try
who am i
(with spaces). |
|---|
Some System V versions don't change the environment variable
HOME (LOGDIR) (14.11)
to the right value for the account you su to.
That means a cd command will take you to the home directory of
your original login, not the home directory of your sued account.
Also, a C shell you start on the other account won't read your .cshrc
file.
The best fix for that is a shell script named su that sets the variable
for you.
The script is run by the
C shell :-( (47.2)
because csh has the
~ (tilde) operator (14.11)
for finding the account's home directory.
Add this script to a directory before /bin in your path (8.7)
or make an alias or shell function that runs the script instead of the standard
su.
x !~ exec :q |
#!/bin/csh -f
# su - fix incorrect $HOME and USER with system 'su' command
foreach arg ($argv)
# find first non-option argument
if ("x$arg" !~ x-*) then
setenv HOME ~$arg
setenv USER $arg
exec /bin/su $argv:q
endif
end
echo "$0 ERROR: can't find username."
exit 1 |
|---|
Another workaround for that is an alias with the name of the account I'm suing to:
(..) | alias randi '(setenv HOME ~randi; setenv USER randi; su randi)' |
|---|
There's another problem that can happen on any version of UNIX:
the account you su to
doesn't have permission (22.2)
to access the current directory where you ran the su command.
Then, you may get an error like getwd: can't stat . from the C shell
on the account you su to.
Or you may get no error but the su will fail.
The
fix for both problems is to cd to a world-access directory like
/ or /tmp before you run su.
An alias can make that easy:
\su | alias su '(cd /; \su \!*)' |
|---|
You can also add the cd / command to this shell script if you want.
If the account you su to runs the C shell (and you don't use the
-f option--see below), it will read the .cshrc file.
If that .cshrc has hardcoded pathnames or commands that only the
other account can run, the commands might fail.
That can cause a variety of "fun" problems.
Try replacing hardcoded pathnames like
/home/oldacct/bin with paths that use account-specific
variables like $home/bin, ~/bin, and so on.
Plain su whoever doesn't read a
C shell user's .login file or a Bourne shell user's .profile.
Using su - whoever (see the section "Other su
Features" at the end of this chapter) solves
that,
but you can't suspend an su - shell (at least not on my systems).
Finally, because the su command runs in a
subshell (38.4),
environment variables (6.1)
set in the account you su from will be passed into
the subshell.
That can be good or bad.
For instance, your favorite
EDITOR (6.3)
(vi, Emacs, or whatever)
can be passed to the account you su to.
But that account might also set a variable that you want to use.
If you're wondering what's set after you su, type set for a
list of shell variables, and either
env or printenv (6.1)
to see environment variables.
If your system is busy, it can take time to run through all the commands
in the other user's .cshrc file.
The su command can pass arguments to the subshell it starts, though.
If the other account uses C shell, the -f option tells it not to read
the .cshrc file (for example, su -f whoever).
You won't get that account's .cshrc setup, but you will start to work on
it sooner.
If logging in on your system takes a long time and you want to switch to another account permanently, you can exec (45.7) the su command:
%exec suwhoever
That makes a weird situation where the
who (51.4)
command will show you logged
on as your original account, but you'll be running as whoever
(the whoami or id command will tell you that).
Also, because the su shell isn't a
login shell (2.8),
the logout command
won't work; you'll need to type exit instead.
So, exec su is a little tricky-but it's fast.
The command su -e, which may also be called su -m or su -p, switches to the other user's account but keeps the environment you have now. That's handy when you're having trouble with the other user's environment or want to keep your own. (Some sus do -m by default, more or less. Use env or printenv (6.1) to see what you get.)
The command su - simulates a full login to the other account. If the other account runs the Bourne shell, the .profile will be read. For the C shell, both .cshrc and .login will be read. You can't suspend a su - subshell. When you log out though, you'll be back in your original account's shell.
-
|  | |
| 22.21 How to Change File Ownership Without chown |  | 23. Removing Files |
