|
Chapter 22 File Security, Ownership, and Sharing |
|
|
|
Chapter 22 File Security, Ownership, and Sharing |
|
System administrators use the su command to become the superuser ( 1.24 ) . But you can use it for lots more:
Become another user temporarily, without logging off your account.
Become another user without tying up another terminal port.
Switch between multiple users any time (on systems with job control).
Do a "quick login" to another user's account, especially when the system is busy.
When you type:
youraccount%suwhoeverPassword: whoever%
UNIX starts a
subshell (
38.4
)
that runs as the user
whoever
. After you use the
cd
command to go to the user's home directory, you can run commands as if you'd logged into that account (more or less... see below).
End the subshell and go back to the account where you typed
su
with the
exit
(
38.4
)
command or a CTRL-d.
Or, on systems with
job control (
12.8
)
, you can stop the subshell temporarily and go back to the account where you started the
su
. To do that, type
suspend
if
whoever
's shell has job control (most shells do); otherwise, enter CTRL-z at the shell prompt.
NOTE: If the su subshell doesn't have job control but your starting shell does, entering CTRL-z to any command you run from the subshell will stop the command and the subshell .
You can use suspend to start multiple su sessions from the same shell. You can go back to your original login, from any of those sessions, without losing your shell history, current directory, etc. Because these shells run on the same tty ( 3.8 ) as your login shell, su doesn't tie up other tty/pty ports like multiple logins or multiple windows can. This is helpful on busy machines with lots of users.
On any UNIX system, you can type
exit
(or use CTRL-d) to go back to the original login. But on systems with job control, you can
su
to several other users and jump back to your original login at any time. Job control lets you suspend an
su
and go back to the place you left off without typing another
su
(and password). Many shells have a
suspend
command that lets you do that. On other shells, you may be able to enter CTRL-z (your job suspend character) or make a command
alias (
10.4
)
to stop the current shell:
kill $$ |
alias suspend='kill -STOP $$' |
|---|
Here's a demo. I'm logged in to the account jerry on the computer wheeze . I've su ed to the superuser, sarah , and manuals accounts, too. I'm using job control to switch users:
jerry@wheeze%jobs[1] Stopped su [2] - Stopped su sarah [3] + Stopped su manuals jerry@wheeze%fgsu manuals ... Do stuff as manuals ... manuals@wheeze%suspendStopped jerry@wheeze%fg %1su wheeze# ... Do stuff as root ... wheeze#suspendStopped jerry@wheeze%
I use that so much that I've made a single-letter alias ( 10.2 ) named z that does a suspend .
|
whoami
id |
It's easier to jump between accounts if the shells'
prompts (
7.1
)
have the username in them, as shown above. If not, use the command
whoami
or
id
to see which user you are. Your system should have one or both; both GNU versions are on the CD-ROM. Also, to see your original login name (the account where you started the
su
), try
who am i
(with spaces). |
|---|
Some System V versions don't change the environment variable
HOME
(
LOGDIR
) (
14.11
)
to the right value for the account you
su
to. That means a
cd
command will take you to the home directory of your original login, not the home directory of your
su
ed account. Also, a C shell you start on the other account won't read your
.cshrc
file. The best fix for that is a shell script named
su
that sets the variable for you. The script is run by the
C shell
:-(
(
47.2
)
because
csh
has the
~
(tilde) operator (
14.11
)
for finding the account's home directory.
Add this script to a directory before
/bin
in your path (
8.7
)
or make an alias or shell function that runs the script instead of the standard
su
.
x !~ exec :q |
#!/bin/csh -f # su - fix incorrect $HOME and USER with system 'su' command foreach arg ($argv) # find first non-option argument if ("x$arg" !~ x-*) then setenv HOME ~$arg setenv USER $arg exec /bin/su $argv:q endif end echo "$0 ERROR: can't find username." exit 1
|
|---|
Another workaround for that is an alias with the name of the account I'm su ing to:
(..) |
alias randi '(setenv HOME ~randi; setenv USER randi; su randi)' |
|---|
There's another problem that can happen on any version of UNIX: the account you
su
to
doesn't have permission (
22.2
)
to access the current directory where you ran the
su
command. Then, you may get an error like
getwd: can't stat .
from the C shell on the account you
su
to. Or you may get no error but the
su
will fail. The fix for both problems is to
cd
to a world-access directory like
/
or
/tmp
before you run
su
. An alias can make that easy:
\su |
alias su '(cd /; \su \!*)' |
|---|
You can also add the
cd /
command to this shell script if you want.
If the account you
su
to runs the C shell (and you don't use the
-f
option--see below), it will read the
.cshrc
file. If that
.cshrc
has hardcoded pathnames or commands that only the other account can run, the commands might fail. That can cause a variety of "fun" problems. Try replacing hardcoded pathnames like
/home/
oldacct
/bin
with paths that use account-specific variables like
$home/bin
,
~/bin
, and so on.
Plain
su
whoever
doesn't read a C shell user's
.login
file or a Bourne shell user's
.profile
. Using
su -
whoever
(see the section "Other su Features" at the end of this chapter) solves that, but you can't suspend an
su -
shell (at least not on my systems).
Finally, because the
su
command runs in a
subshell (
38.4
)
,
environment variables (
6.1
)
set in the account you
su
from will be passed into the subshell. That can be good or bad. For instance, your favorite
EDITOR (
6.3
)
(
vi
, Emacs, or whatever) can be passed to the account you
su
to. But that account might also set a variable that you want to use. If you're wondering what's set after you
su
, type
set
for a list of shell variables, and either
env
or
printenv
(
6.1
)
to see environment variables.
If your system is busy, it can take time to run through all the commands in the other user's
.cshrc
file. The
su
command can pass arguments to the subshell it starts, though. If the other account uses C shell, the
-f
option tells it not to read the
.cshrc
file (for example,
su -f
whoever
). You won't get that account's
.cshrc
setup, but you will start to work on it sooner.
If logging in on your system takes a long time and you want to switch to another account permanently, you can exec ( 45.7 ) the su command:
%exec suwhoever
That makes a weird situation where the
who
(
51.4
)
command will show you logged on as your original account, but you'll be running as
whoever
(the
whoami
or
id
command will tell you that). Also, because the
su
shell isn't a
login shell (
2.8
)
, the
logout
command won't work; you'll need to type
exit
instead. So,
exec su
is a little tricky-but it's fast.
The command su -e , which may also be called su -m or su -p , switches to the other user's account but keeps the environment you have now. That's handy when you're having trouble with the other user's environment or want to keep your own. (Some su s do -m by default, more or less. Use env or printenv ( 6.1 ) to see what you get.)
The command su - simulates a full login to the other account. If the other account runs the Bourne shell, the .profile will be read. For the C shell, both .cshrc and .login will be read. You can't suspend a su - subshell. When you log out though, you'll be back in your original account's shell.
-
|
|
|
|
| 22.21 How to Change File Ownership Without chown |
|
23. Removing Files |
