suauth(5) — Linux manual page


SUAUTH(5)            File Formats and Configuration            SUAUTH(5)

NAME         top

       suauth - detailed su control file

SYNOPSIS         top


DESCRIPTION         top

       The file /etc/suauth is referenced whenever the su command is
       called. It can change the behaviour of the su command, based

                 1) the user su is targeting

       2) the user executing the su command (or any groups he might be a
       member of)

       The file is formatted like this, with lines starting with a #
       being treated as comment lines and ignored;


       Where to-id is either the word ALL, a list of usernames delimited
       by "," or the words ALL EXCEPT followed by a list of usernames
       delimited by ",".

       from-id is formatted the same as to-id except the extra word
       GROUP is recognized.  ALL EXCEPT GROUP is perfectly valid too.
       Following GROUP appears one or more group names, delimited by
       ",". It is not sufficient to have primary group id of the
       relevant group, an entry in /etc/group(5) is necessary.

       Action can be one only of the following currently supported

           The attempt to su is stopped before a password is even asked

           The attempt to su is automatically successful; no password is
           asked for.

           For the su command to be successful, the user must enter his
           or her own password. They are told this.

       Note there are three separate fields delimited by a colon. No
       whitespace must surround this colon. Also note that the file is
       examined sequentially line by line, and the first applicable rule
       is used without examining the file further. This makes it
       possible for a system administrator to exercise as fine control
       as he or she wishes.

EXAMPLE         top

                 # sample /etc/suauth file
                 # A couple of privileged usernames may
                 # su to root with their own password.
                 # Anyone else may not su to root unless in
                 # group wheel. This is how BSD does things.
                 root:ALL EXCEPT GROUP wheel:DENY
                 # Perhaps terry and birddog are accounts
                 # owned by the same person.
                 # Access can be arranged between them
                 # with no password.

FILES         top


BUGS         top

       There could be plenty lurking. The file parser is particularly
       unforgiving about syntax errors, expecting no spurious whitespace
       (apart from beginning and end of lines), and a specific token
       delimiting different things.

DIAGNOSTICS         top

       An error parsing the file is reported using syslogd(8) as level
       ERR on facility AUTH.

SEE ALSO         top


COLOPHON         top

       This page is part of the shadow-utils (utilities for managing
       accounts and shadow password files) project.  Information about
       the project can be found at 
       ⟨⟩.  If you have a bug
       report for this manual page, send it to  This page was obtained
       from the project's upstream Git repository
       ⟨⟩ on 2022-12-17.  (At that
       time, the date of the most recent commit that was found in the
       repository was 2022-12-15.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

shadow-utils 4.11.1            12/17/2022                      SUAUTH(5)