snafu@ihuxi.UUCP (Dave Wallis) (06/18/84)
Well, the response was really overwhelming to my question on
restricting su capability to a common unix accout. My thanks to all
those who took the time to send me mail. In fact, I received so many
responses that I can't answer them individually - please don't be
offended if I dont get a message back to you.
For those of you who didn't catch the original posting, this was the
question (briefly): how can I share a database between department
members (i.e. let them log onto my account, since not all have an
account on this machine) and still protect my account from the su
command (used by someone who *has* an account on this machine)?
Most of the responses fell into one of two groups:
1) write a program (c or shell script) to implement a restricted
environment and have the sa install it in /etc/passwd as my default
shell. Since su always starts the specified program, anyone su'ing to
my account would have to go through the restricted environment. I was
not aware that su behaved that way, but rereading the man page bears
this out.
2) get a new account that other users log on to that just sets up the
restricted environment and then set-uids to my account which still
owns the database and software. Since the new account would not own
any files, su-ing to it would not gain anything.
Again, thanks for the help!
--
Dave Wallis
ihnp4!ihuxi!snafu
AT&T Technologies, Inc.
(312) 979-5894