The file /etc/suauth is referenced whenever the su command is called.
It can change the behaviour of the su command, based upon:
1) the user su is targeting
2) the user executing the su command (or any groups he might be a
The file is formatted like this, with lines starting with a # being
treated as comment lines and ignored;
Where to-id is either the word ALL, a list of usernames delimited by
"," or the words ALL EXCEPT followed by a list of usernames delimited
from-id is formatted the same as to-id except the extra word GROUP is
recognized. ALL EXCEPT GROUP is perfectly valid too. Following GROUP
appears one or more group names, delimited by ",". It is not
sufficient to have primary group id of the relevant group, an entry
in /etc/group(5) is necessary.
Action can be one only of the following currently supported options.
The attempt to su is stopped before a password is even asked for.
The attempt to su is automatically successful; no password is
For the su command to be successful, the user must enter his or
her own password. They are told this.
Note there are three separate fields delimited by a colon. No
whitespace must surround this colon. Also note that the file is
examined sequentially line by line, and the first applicable rule is
used without examining the file further. This makes it possible for a
system administrator to exercise as fine control as he or she wishes.
# sample /etc/suauth file
# A couple of privileged usernames may
# su to root with their own password.
# Anyone else may not su to root unless in
# group wheel. This is how BSD does things.
root:ALL EXCEPT GROUP wheel:DENY
# Perhaps terry and birddog are accounts
# owned by the same person.
# Access can be arranged between them
# with no password.
There could be plenty lurking. The file parser is particularly
unforgiving about syntax errors, expecting no spurious whitespace
(apart from beginning and end of lines), and a specific token
delimiting different things.
This page is part of the shadow-utils (utilities for managing
accounts and shadow password files) project. Information about the
project can be found at ⟨https://github.com/shadow-maint/shadow⟩. If
you have a bug report for this manual page, send it to
firstname.lastname@example.org. This page was obtained
from the project's upstream Git repository
⟨https://github.com/shadow-maint/shadow⟩ on 2020-08-13. (At that
time, the date of the most recent commit that was found in the repos‐
itory was 2020-08-13.) If you discover any rendering problems in
this HTML version of the page, or you believe there is a better or
more up-to-date source for the page, or you have corrections or
improvements to the information in this COLOPHON (which is not part
of the original manual page), send a mail to email@example.com
shadow-utils 4.8.1 08/13/2020 SUAUTH(5)