From owner-freebsd-questions  Fri Nov 14 17:55:21 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id RAA21161
          for questions-outgoing; Fri, 14 Nov 1997 17:55:21 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from gdi.uoregon.edu (gdi.uoregon.edu [128.223.170.30])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA21154
          for <questions@FreeBSD.ORG>; Fri, 14 Nov 1997 17:55:18 -0800 (PST)
          (envelope-from dwhite@gdi.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by gdi.uoregon.edu (8.8.7/8.8.7) with SMTP id RAA04584;
          Fri, 14 Nov 1997 17:54:02 -0800 (PST)
          (envelope-from dwhite@gdi.uoregon.edu)
Date: Fri, 14 Nov 1997 17:54:02 -0800 (PST)
From: Doug White <dwhite@gdi.uoregon.edu>
Reply-To: Doug White <dwhite@resnet.uoregon.edu>
To: Randy Katz <randyk@ccsales.com>
cc: questions@FreeBSD.ORG
Subject: Re: PREVENT SU TO OTHER USER
In-Reply-To: <Pine.BSF.3.91.971114115648.28711A-100000@ccsales.ccsales.com>
Message-ID: <Pine.BSF.3.96.971114175057.4473K-100000@gdi.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 14 Nov 1997, Randy Katz wrote:

> Is there a way to prevent a certain user from being able to su to another 
> regular user (non-root) in FreeBSD?

Um, don't put them in the wheel group?  Or use permissions by exclusion: 
put them in a group, ie, `bogus', chown su to root:bogus, and chmod g-rx
su. 

So the ls -l will look like:

-r-s---r-x  1 root  bogus  16384 Oct 20 09:36 /usr/bin/su

FreeBSD always uses the closest permissions, so it'll see the group bogus
and use those, and viola, `permission denied.'

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major