Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!uwm.edu!wuarchive!zaphod.mps.ohio-state.edu!think.com!linus!nixbur!nixpbe!peun33!israel
From: israel.pad@sni.de (Andreas Israel)
Newsgroups: comp.unix.questions
Subject: Re: how to create a user, which can't be su'd to ?
Keywords: su
Message-ID: <israel.664032161@peun33>
Date: 16 Jan 91 13:22:41 GMT
References: <1460@nixsin.UUCP>
Sender: news@nixpbe.sni.de
Lines: 16

In <1460@nixsin.UUCP> koerberm@nixsin.UUCP (Mathias Koerber) writes:

>I have a (small) system, which I want all my staff to be able to shutdown in
>the evening, without having to give them full root access. So i created a user
>"shut", whose .profile calls /etc/shutdown with all the necessary parameters.

You can interrupt the execution of the .profile after login!!!

>I want to protect this account against being accessed via su, so that it is not
>used accidentally. How can I do this?

You can write a little C program that will do all checking and finally call
/etc/shutdown.
Specify this program as login shell for this user in /etc/passwd.

Another way is to give SETUID root permission to such a program.