Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!bria!mike Newsgroups: comp.unix.questions Subject: Re: how to create a user, which can't be su'd to ? Keywords: su Message-ID: <371@bria> Date: 20 Jan 91 00:53:28 GMT References: <1460@nixsin.UUCP> Reply-To: uunet!bria!mike (Michael Stefanik) Organization: Briareus Corporation, Los Angeles, CA Lines: 73 In article <1460@nixsin.UUCP> nixsin.UUCP!koerberm (Mathias Koerber) writes: >Howdy, > >I have a (small) system, which I want all my staff to be able to shutdown in >the evening, without having to give them full root access. So i created a user >"shut", whose .profile calls /etc/shutdown with all the necessary parameters. > >I want to protect this account against being accessed via su, so that it is not >used accidentally. How can I do this? There is no way to allow an account for login, but disable it for su (that I know of ...); however, here are some alternatives. One way would be to write a program that exec()'d /etc/shutdown, and ran suid, such as: ---[ cut here, call shut.c ]--------------------------------------------------- #include #define MAGIC_GID 100 main(argc,argv) int argc; char *argv[]; { FILE *fp; int users = 0; char buf[128]; if ( getgid() != MAGIC_GID ) { fprintf(stderr,"%s: you are not allowed to shutdown\n",argv[0]); exit(1); } if ( (fp = popen("who","r")) == NULL ) { fprintf(stderr,"%s: cannot shutdown system\n",argv[0]); exit(1); } while ( fgets(buf,128,fp) != NULL ) ++users; fclose(fp); if ( users > 1 ) { fprintf(stderr,"%s: everyone is not logged out!\n",argv[0]); exit(1); } execlp("/etc/shutdown","/etc/shutdown",NULL); } ---[ cut here ]-------------------------------------------------------------- You would then compile this program, make sure the owner was root, and chmod "shut" to 4111. Thus, all your non-root admin would have to do is enter /etc/shut (or whatever) to allow them to shut the machine down when no one is using it. Note that MAGIC_GID should be changed to the group id of your non-root admin; others won't be allowed to use it. Another option would be to have the system shutdown on it's own, by putting a "fast shutdown" command in root's crontab, such as: sh -c "sync; sleep 5; /etc/haltsys" I know this isn't what you're explicitly asking for, but it is some alternatives I thought I'd throw out there. -- Michael Stefanik, Systems Engineer (JOAT), Briareus Corporation UUCP: ...!uunet!bria!mike -- technoignorami (tek'no-ig'no-ram`i) a group of individuals that are constantly found to be saying things like "Well, it works on my DOS machine ..."