more on superuser

[Dave Wallis]

Well, I guess I rather screwed this one up! 
Yesterday I submitted an article requesting info on how to restrict su
access to my account, but I guess that I didn't include enough
information. Rather than send mail to everyone who has responded
(thanx!), let me restate my question in more detail.

I have a database on my gp unix account that members of my department
need to access. Some of them have accounts on the same machine, others
are on other gp machines.  The system contains both an environment and
the actual database. Currently, users log onto my account, which sets
up a restricted environment with a limited number of commands
avaiable.  The problem is not the people on other machines who have my
password.  The problem is that a person *with his own account on the
same machine* can su to my account (since he knows the password),
avoiding the restricted environment, and have fun and games
time in my directories.

Using group ids is ok except that I still must give out the password
to those who don't have an account on my machine, so I must assume
that the password is not secure (to avoid the very restricted
environment requires passing several levels of barbed wire and alarms,
so I am not too concerned about an outside person gaining access to my
files). So here is my question again: is there a way in unix to
restrict su access (except for root, naturally) to my account?
All replies welcome, please respond by mail, and thanx in advance.

-- 


                              Dave Wallis
                           ihnp4!ihuxi!snafu
                         AT&T Technologies, Inc.
                            (312) 979-5894