snafu@ihuxi.UUCP (Dave Wallis) (06/14/84)
Well, I guess I rather screwed this one up! Yesterday I submitted an article requesting info on how to restrict su access to my account, but I guess that I didn't include enough information. Rather than send mail to everyone who has responded (thanx!), let me restate my question in more detail. I have a database on my gp unix account that members of my department need to access. Some of them have accounts on the same machine, others are on other gp machines. The system contains both an environment and the actual database. Currently, users log onto my account, which sets up a restricted environment with a limited number of commands avaiable. The problem is not the people on other machines who have my password. The problem is that a person *with his own account on the same machine* can su to my account (since he knows the password), avoiding the restricted environment, and have fun and games time in my directories. Using group ids is ok except that I still must give out the password to those who don't have an account on my machine, so I must assume that the password is not secure (to avoid the very restricted environment requires passing several levels of barbed wire and alarms, so I am not too concerned about an outside person gaining access to my files). So here is my question again: is there a way in unix to restrict su access (except for root, naturally) to my account? All replies welcome, please respond by mail, and thanx in advance. -- Dave Wallis ihnp4!ihuxi!snafu AT&T Technologies, Inc. (312) 979-5894
grd@iwu1d.UUCP (grd) (06/18/84)
... Dave: We had a similiar problem like this which we resolved as follows: We used two login accounts to accomplish this task. Login xx root level was owned by login yy. The profile was also owned by login yy and granted write permission via su within the profile. A limited number of functions were allowed via profile control. Traps were set to ignore breaks etc on login. This will prevent the su people to even look at anything because the permission level will not permit them to do so. The only fallacy... They still can play games etc in the /usr/tmp or /tmp or their own ids, but I don't think you were concered about this because if they already have an account on the machine, they work for the company. Garry R. Daly iwu1d!grd AT&T-T ..