snafu@ihuxi.UUCP (Dave Wallis) (06/18/84)
Well, the response was really overwhelming to my question on restricting su capability to a common unix accout. My thanks to all those who took the time to send me mail. In fact, I received so many responses that I can't answer them individually - please don't be offended if I dont get a message back to you. For those of you who didn't catch the original posting, this was the question (briefly): how can I share a database between department members (i.e. let them log onto my account, since not all have an account on this machine) and still protect my account from the su command (used by someone who *has* an account on this machine)? Most of the responses fell into one of two groups: 1) write a program (c or shell script) to implement a restricted environment and have the sa install it in /etc/passwd as my default shell. Since su always starts the specified program, anyone su'ing to my account would have to go through the restricted environment. I was not aware that su behaved that way, but rereading the man page bears this out. 2) get a new account that other users log on to that just sets up the restricted environment and then set-uids to my account which still owns the database and software. Since the new account would not own any files, su-ing to it would not gain anything. Again, thanks for the help! -- Dave Wallis ihnp4!ihuxi!snafu AT&T Technologies, Inc. (312) 979-5894