how to create a user, which can't be su'd to ?

Sun Jan 20 11:53:28 AEST 1991

In article <1460 at nixsin.UUCP> nixsin.UUCP!koerberm (Mathias Koerber) writes:
>Howdy,
>
>I have a (small) system, which I want all my staff to be able to shutdown in
>the evening, without having to give them full root access. So i created a user
>"shut", whose .profile calls /etc/shutdown with all the necessary parameters.
>
>I want to protect this account against being accessed via su, so that it is not
>used accidentally. How can I do this?

There is no way to allow an account for login, but disable it for su (that
I know of ...); however, here are some alternatives.

One way would be to write a program that exec()'d /etc/shutdown, and
ran suid, such as:

---[ cut here, call shut.c ]---------------------------------------------------

#include <stdio.h>

#define MAGIC_GID	100

main(argc,argv)
int	argc;
char	*argv[];
{
FILE	*fp;
int	users = 0;
char	buf[128];

	if ( getgid() != MAGIC_GID ) {
		fprintf(stderr,"%s: you are not allowed to shutdown\n",argv[0]);
		exit(1);
		}

	if ( (fp = popen("who","r")) == NULL ) {
		fprintf(stderr,"%s: cannot shutdown system\n",argv[0]);
		exit(1);
		}

	while ( fgets(buf,128,fp) != NULL )
		++users;
	fclose(fp);

	if ( users > 1 ) {
		fprintf(stderr,"%s: everyone is not logged out!\n",argv[0]);
		exit(1);
		}

	execlp("/etc/shutdown","/etc/shutdown",NULL);
}

---[ cut here ]--------------------------------------------------------------

You would then compile this program, make sure the owner was root, and
chmod "shut" to 4111.  Thus, all your non-root admin would have to do is
enter /etc/shut (or whatever) to allow them to shut the machine down when
no one is using it.  Note that MAGIC_GID should be changed to the group
id of your non-root admin; others won't be allowed to use it.

Another option would be to have the system shutdown on it's own, by
putting a "fast shutdown" command in root's crontab, such as:

	sh -c "sync; sleep 5; /etc/haltsys"

I know this isn't what you're explicitly asking for, but it is some
alternatives I thought I'd throw out there.
-- 
Michael Stefanik, Systems Engineer (JOAT), Briareus Corporation
UUCP: ...!uunet!bria!mike
--
technoignorami (tek'no-ig'no-ram`i) a group of individuals that are constantly
found to be saying things like "Well, it works on my DOS machine ..."