how to create a user, which can't be su'd to ?

[pri=2 Dan Stromberg]

In article <1460 at nixsin.UUCP>, koerberm at nixsin.UUCP (Mathias Koerber) writes:
> Howdy,
> 
> I have a (small) system, which I want all my staff to be able to shutdown in
> the evening, without having to give them full root access. So i created a user
> "shut", whose .profile calls /etc/shutdown with all the necessary parameters.
> 
> I want to protect this account against being accessed via su, so that it is not
> used accidentally. How can I do this?
> 
> I already check the number of logged-in users to be one (=shut), so that it
> only can be used once everybody is out. But a su would not increase that number.
> 
> Any help appreciated
> 
> Mathias
> -- 
> Mathias Koerber  | S iemens             | EUnet: koerber.sin at nixdorf.de
> 2 Kallang Sector | N ixdorf             | USA:   koerber.sin at nixdorf.com 
> S'pore 1344      | I nformation Systems | Tel: +65/7402852 | Fax: +65/7402834
> * Packed with Power, SNIckers really satisfy  (or do they? Ask them gals :-) )*

Disclaimer: I haven't tried this.  The only thing I have root access on
these days is Minix.  :-(

One alternative: write a C program that returns a status indicating if the
current user's *effective* user id is equal to the current user's *actual*
user id.  You could then use that status in an if, determining if you
actually want to shut down or not.

Or...  I suppose a more (re)useful way of doing it, would be to write an
"ewho" program, that printf's the effective user id (eg "root", not the
numbers), and use a string comparison against its output, and the first
field of `who am i`.

Heh.  Of course, I just tried

$ who am i

on this machine, and it didn't output a thing...  so maybe the first
suggestion work better.  :-)

- Dan