Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 exptools 1/6/84; site ihuxi.UUCP Path: utzoo!watmath!clyde!burl!mgnetp!ihnp4!ihuxi!snafu From: snafu@ihuxi.UUCP (Dave Wallis) Newsgroups: net.unix Subject: more on superuser Message-ID: <924@ihuxi.UUCP> Date: Thu, 14-Jun-84 15:46:11 EDT Article-I.D.: ihuxi.924 Posted: Thu Jun 14 15:46:11 1984 Date-Received: Fri, 15-Jun-84 01:29:59 EDT Organization: AT&T Technologies, Inc., Naperville Il. Lines: 33 Well, I guess I rather screwed this one up! Yesterday I submitted an article requesting info on how to restrict su access to my account, but I guess that I didn't include enough information. Rather than send mail to everyone who has responded (thanx!), let me restate my question in more detail. I have a database on my gp unix account that members of my department need to access. Some of them have accounts on the same machine, others are on other gp machines. The system contains both an environment and the actual database. Currently, users log onto my account, which sets up a restricted environment with a limited number of commands avaiable. The problem is not the people on other machines who have my password. The problem is that a person *with his own account on the same machine* can su to my account (since he knows the password), avoiding the restricted environment, and have fun and games time in my directories. Using group ids is ok except that I still must give out the password to those who don't have an account on my machine, so I must assume that the password is not secure (to avoid the very restricted environment requires passing several levels of barbed wire and alarms, so I am not too concerned about an outside person gaining access to my files). So here is my question again: is there a way in unix to restrict su access (except for root, naturally) to my account? All replies welcome, please respond by mail, and thanx in advance. -- Dave Wallis ihnp4!ihuxi!snafu AT&T Technologies, Inc. (312) 979-5894