Reference Guide › Utilities › sesu Utility—Substitute User

sesu Utility—Substitute User

The sesu utility lets you temporarily act as another user. This utility is the CA ControlMinder version of the UNIX su command. However, the sesu utility provides a user substitution command that does not require you to provide the password of the substituted user. The authorization process is based on the CA ControlMinder access rules as defined in class SURROGATE and, optionally, on the password of the user executing the command.

The sesu utility uses the tokens in the sesu section of the seos.ini file. It also uses the following special files:

• /etc/passwd
• /etc/group
• /etc/shells

To protect against inadvertent use, sesu is marked in the file system so that no one can run it. The security administrator must mark the program as executable and setuid to root before you can use it.

Important! Before you use the sesu utility, define all users to the CA ControlMinder database and set sesu prerequisites. This prevents you from opening up the entire system to users who are not defined to CA ControlMinder.

The sesu utility optionally supports strong authentication and can prompt the user for a one-time password. You activate strong authentication in the sesu and strong_auth sections of the seos.ini file.

Note: For more information on strong authentication and the sepromote utility, read the Integration Guide chapter about CA AuthMinder integration.

Usage notes:

• If the CA ControlMinder authorization server is not found, the utility executes the system's standard su command.
• If the sesu.old_sesu configuration token is set to no, the utility executes the system's standard su command.
• If /etc/shells exists, and it does not specify the current shell, sesu does not permit substitution to root.

This utility has the following format:

sesu [-] [username] [-l] [-n] [-s shell] [-c command]

-

Sets the environment to that of the target user.

Note: On Linux, this is the same as using the -l option.

‑c command

Executes the specified command then exits.

Enclose commands containing spaces in quotes.

‑h

Displays the help for this utility.

-l

(Linux only). Specifies that the shell it opens is a login shell.

-n

Specifies not to prompt the user for password

Important! When used, the utility runs as the root account and performs a LOGIN event.

Note: If the security authorization server is not found, the utility uses /bin/su.

-s shell

(Linux only). Specifies a shell to open instead of the shell from the user's passwd entry.

The shell must be listed in the /etc/shells file.

username

Changes the ID associated with the session to the ID of the specified target user username.

If you do not specify a username, sesu default to root.

Examples

• The following command changes the UID to root. The environment remains that of the user who executed the command.

  sesu
  

• The following command changes the UID to root. The utility changes the environment to root's environment.

  sesu ‑
  

• The following command surrogates to the user John.

  sesu John
  

• The following command surrogates to the user Carol and executes the specified command, ls ‑la, from the /home/carol directory.

  sesu ‑ Carol ‑c "ls ‑la /home/carol"
  

• The following command surrogates to the user Angelo, uses a bash shell and opens it as a login shell.

  sesu Angelo ‑l -s /bin/bash
  

  Note: This is valid on Linux only.

More information

sesu