Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!tut.cis.ohio-state.edu!uccba!ucqais!dstrombe
From: dstrombe@ucqais.uc.edu (pri=2 Dan Stromberg)
Newsgroups: comp.unix.questions
Subject: Re: how to create a user, which can't be su'd to ?
Keywords: su
Message-ID: <2594@ucqais.uc.edu>
Date: 21 Jan 91 15:17:33 GMT
References: <1460@nixsin.UUCP>
Organization: Univ of Cincinnati, College of Business Admin.
Lines: 43

In article <1460@nixsin.UUCP>, koerberm@nixsin.UUCP (Mathias Koerber) writes:
> Howdy,
> 
> I have a (small) system, which I want all my staff to be able to shutdown in
> the evening, without having to give them full root access. So i created a user
> "shut", whose .profile calls /etc/shutdown with all the necessary parameters.
> 
> I want to protect this account against being accessed via su, so that it is not
> used accidentally. How can I do this?
> 
> I already check the number of logged-in users to be one (=shut), so that it
> only can be used once everybody is out. But a su would not increase that number.
> 
> Any help appreciated
> 
> Mathias
> -- 
> Mathias Koerber  | S iemens             | EUnet: koerber.sin@nixdorf.de
> 2 Kallang Sector | N ixdorf             | USA:   koerber.sin@nixdorf.com 
> S'pore 1344      | I nformation Systems | Tel: +65/7402852 | Fax: +65/7402834
> * Packed with Power, SNIckers really satisfy  (or do they? Ask them gals :-) )*

Disclaimer: I haven't tried this.  The only thing I have root access on
these days is Minix.  :-(

One alternative: write a C program that returns a status indicating if the
current user's *effective* user id is equal to the current user's *actual*
user id.  You could then use that status in an if, determining if you
actually want to shut down or not.

Or...  I suppose a more (re)useful way of doing it, would be to write an
"ewho" program, that printf's the effective user id (eg "root", not the
numbers), and use a string comparison against its output, and the first
field of `who am i`.

Heh.  Of course, I just tried

$ who am i

on this machine, and it didn't output a thing...  so maybe the first
suggestion work better.  :-)

- Dan