Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!nrl-cmf!ames!elroy!hacgate!tcville!sparky!rob
From: rob@sparky.HAC.COM (Rob Henderson)
Newsgroups: comp.unix.questions
Subject: "restricted" error - HELP!
Message-ID: <184@tcville.HAC.COM>
Date: 7 Oct 88 01:41:17 GMT
Sender: news@tcville.HAC.COM
Reply-To: rob@tcville.hac.com (Rob Henderson)
Organization: Hughes Aircraft Co., El Segundo, CA
Lines: 64


Greetings,

I give up!!  This problem has gotten the best of me so I am turning
to the net for help.  FYI, I'm running SunOS 3.4 on a Sun 3/260.

I have set up the following two accounts:

	dummy::0:1:dummy:/:/usr/local/bin/dummy_account
	fixdrip::0:1:fixdrip:/:/usr/local/bin/fixdrip_account

The login scripts (dummy_account and fixdrip_account) run another 
script (/sparky/rob/tmp/script.sh), which works for the dummy 
account but bombs with "restricted" messages for the fixdrip account.
The problem should be clear after you read the following:

===========================================

Script started on Thu Oct  6 17:52:32 1988
% egrep "dummy|fixdrip" /etc/passwd
dummy::0:1:dummy:/:/usr/local/bin/dummy_account
fixdrip::0:1:fixdrip:/:/usr/local/bin/fixdrip_account
% cd /usr/local/bin
% cat dummy_account
#! /bin/sh -f
/sparky/rob/tmp/script.sh
% cat fixdrip_account
#! /bin/sh -f
/sparky/rob/tmp/script.sh
% diff dummy_account fixdrip_account
% ls -lg dummy_account fixdrip_account
-rwxr--r--  1 root     wheel          40 Oct  6 17:51 dummy_account
-rwxr--r--  1 root     wheel          40 Oct  6 17:51 fixdrip_account
% cat /sparky/rob/tmp/script.sh
#! /bin/sh -f
echo The sh script worked
% su dummy
The sh script worked
% su fixdrip
/usr/local/bin/fixdrip_account: /sparky/rob/tmp/script.sh: restricted
% exit
script done on Thu Oct  6 17:54:02 1988

===========================================


My questions are:

1. What does the "restricted" message mean?
2. Why does the dummy account work while the fixdrip does not?
3. On a side note, I would appreciate if someone would fill me in on the
   security holes I am opening by having these accounts with the same
   uid as root.  My motivation for doing this is to give users limited
   access to root privileges.

Thanks for the help,

		--Rob Henderson

---
1st Choice: rob@tcville.hac.com 
2nd Choice: rgh@hac2arpa.hac.com
3rd Choice: (213) 616-4596
If all else fails: {seismo|allegra|...}!hacgate!tcville!rob