Su
(security tip) |
(removed redundant info) |
||
(One intermediate revision by one user not shown) | |||
Line 1: | Line 1: | ||
− | [[su]] is acronymic for '''switch user''' | + | [[su]] is acronymic for '''switch user''', and is the system command used under FreeBSD and other unix-like operating systems to change your [[user context]] without having to log out and log back in as a different user. |
If you just type in [[su]] at the shell prompt and do not supply an argument, [[su]] assumes that you are asking to change context to [[root]]. Attempting to assume [[root]] context is something of a special case under FreeBSD - unlike many other unix-like operating systems, just having the root password is not enough! FreeBSD's default behavior is to only allow users who are members of the special group [[wheel]] the privilege of [[su]]-ing to [[root]]. If you ''are'' a member of [[wheel]], you will be presented with a password challenge; if not, you will simply be told "sorry." | If you just type in [[su]] at the shell prompt and do not supply an argument, [[su]] assumes that you are asking to change context to [[root]]. Attempting to assume [[root]] context is something of a special case under FreeBSD - unlike many other unix-like operating systems, just having the root password is not enough! FreeBSD's default behavior is to only allow users who are members of the special group [[wheel]] the privilege of [[su]]-ing to [[root]]. If you ''are'' a member of [[wheel]], you will be presented with a password challenge; if not, you will simply be told "sorry." | ||
Line 7: | Line 7: | ||
One thing to remember about using [[su]] to change [[user context]] is that it actually opens a [[shell]] without ever closing your old one - so when you're tired of being whoseever identity you have taken with [[su]], simply [[exit]] to get back to your old shell. If the "-" switch is passed to [[su]] then a new shell is opened, using any [[shell]] configuration file ([[.profile]], [[.cshrc]], etc) in the root account's home directory. If no "-" switch is passed to [[su]], it will use the shell configuration file of the user you [[su]]'d from (assuming sanity: if the originating user is using .bashrc and the root user is using .tcshrc, the .bashrc file won't be used.) | One thing to remember about using [[su]] to change [[user context]] is that it actually opens a [[shell]] without ever closing your old one - so when you're tired of being whoseever identity you have taken with [[su]], simply [[exit]] to get back to your old shell. If the "-" switch is passed to [[su]] then a new shell is opened, using any [[shell]] configuration file ([[.profile]], [[.cshrc]], etc) in the root account's home directory. If no "-" switch is passed to [[su]], it will use the shell configuration file of the user you [[su]]'d from (assuming sanity: if the originating user is using .bashrc and the root user is using .tcshrc, the .bashrc file won't be used.) | ||
− | + | Many new sysadmins occasionally just [[su]] to their own user context in order to make a user environment change immediately active; for instance after altering or placing new files in your [[PATH|directory path]]. This is intuitive, and works (although it's sloppy since it eats up system resources for a new shell without freeing the resources for the old one), but it's unnecessary if you know about the [[rehash]] command. | |
User accounts who have su disabled are less vulnerable to certain [[rootkit]]s, but it can also be inconvenient. This is why some users have a personal account (no su allowed, a bit safer if you frequent seedy web sites) separate from their work account where getting the job done quickly (su allowed) and not taking risks has priority. | User accounts who have su disabled are less vulnerable to certain [[rootkit]]s, but it can also be inconvenient. This is why some users have a personal account (no su allowed, a bit safer if you frequent seedy web sites) separate from their work account where getting the job done quickly (su allowed) and not taking risks has priority. |
Latest revision as of 15:51, 6 June 2005
su is acronymic for switch user, and is the system command used under FreeBSD and other unix-like operating systems to change your user context without having to log out and log back in as a different user.
If you just type in su at the shell prompt and do not supply an argument, su assumes that you are asking to change context to root. Attempting to assume root context is something of a special case under FreeBSD - unlike many other unix-like operating systems, just having the root password is not enough! FreeBSD's default behavior is to only allow users who are members of the special group wheel the privilege of su-ing to root. If you are a member of wheel, you will be presented with a password challenge; if not, you will simply be told "sorry."
However, su is useful for more than just assuming root context. You can assume any user context with the su application, making it an excellent troubleshooting tool to instantly check on any permissions or other security-related issues as well as issues related to the user-specific shell environment. Simply supply su the name of the user whose context you want to assume as an argument; if you are already root it will quietly do so without asking for a password. If you are not root and you ask to su to a non-root user, it will allow you attempt to, but will require you to supply that user's password before actually changing context.
One thing to remember about using su to change user context is that it actually opens a shell without ever closing your old one - so when you're tired of being whoseever identity you have taken with su, simply exit to get back to your old shell. If the "-" switch is passed to su then a new shell is opened, using any shell configuration file (.profile, .cshrc, etc) in the root account's home directory. If no "-" switch is passed to su, it will use the shell configuration file of the user you su'd from (assuming sanity: if the originating user is using .bashrc and the root user is using .tcshrc, the .bashrc file won't be used.)
Many new sysadmins occasionally just su to their own user context in order to make a user environment change immediately active; for instance after altering or placing new files in your directory path. This is intuitive, and works (although it's sloppy since it eats up system resources for a new shell without freeing the resources for the old one), but it's unnecessary if you know about the rehash command.
User accounts who have su disabled are less vulnerable to certain rootkits, but it can also be inconvenient. This is why some users have a personal account (no su allowed, a bit safer if you frequent seedy web sites) separate from their work account where getting the job done quickly (su allowed) and not taking risks has priority.
[edit] Common Flags
- see -l below -l will give you a new login shell. On most systems, this is assumed, but using the flag will ensure that you don't get made root with a shell you're not expecting. -m "leave me alone, just make me root". You'll stay in your current directory, have your current PATH and shell stay the same. -c change the class of a command. This is complex and will not be used by novices, but if you need to run commands limited by user group class or limited to the abilities of a particular user, it can be useful. Consult the manpage for more details.