su HAS to be suid root. Irregardless of shadow passwords. If I am user x, and I want to become user y, the process that calls seteuid() HAS to be running as UID 0. Since this process is su, it needs to be run by root or as root, i.e. setuid root. If you chown root.shadow su, and then chmod it 2755 (setgid), you WON'T be able to use su as a non-root user. Try it: $ su Password: su: cannot set groups: Operation not permitted Carl