Make a user that can su but not login?

Rotwang · 06-14-2004, 04:13 PM

I'd like to make a user that can't login, but that other users (who can login) can su to.

I tried making a user like this:
adduser -s /sbin/nologin emailusername; passwd emailusername

and then when I'm logged in (as another user) and I try to su to that user, I get:
This account is currently not available.

Is what I want possible?

jschiwal · 06-14-2004, 04:34 PM

I'm not certain, but if the home page entry is blank in /etc/passwd or /etc/shadow, this may be what you want. But there may be problems even if this works. Why do you want to do this? Maybe there is another way to do what it is you want to.

Rotwang · 06-14-2004, 05:01 PM

thank you,

well, the reason I'm doing this is, I have sendmail, qpopper, and pine setup, and I don't want to use the same account for a user's shell access as his email. If I use the same account for both, and someone gets ahold of the pop password (via sniffing or something), then he could login.

That works fine, but the problem is, users who do login can't check their email with pine while they're logged in, because their email is in a different account. But if they could su to that account they could.

penguin4 · 06-14-2004, 07:11 PM

Rotwang; have you looked at kb.mandrakeclub.com/index.php/AdminArecov may answers .
or some where in that kb section

Rotwang · 06-14-2004, 07:23 PM

I'm not a mandrake club member. Actually, I should've said, I'm doing this in fedora core 2. Although, if there's a solution in mandrake, then i bet something similar would work in fedora.

penguin4 · 06-15-2004, 11:27 AM

Rotwang; well yes maybe. but can not do too much harm in trying? it is linux with common thread. thats the maybe.

Rekna · 06-15-2004, 11:29 AM

can't you use pam.d and use access.conf to do this?

paeng16 · 06-17-2004, 04:21 AM

or better yet LDAP!

penguin4 · 06-17-2004, 04:35 PM

Rotwang; ? how or why two email progs? if needed then use seperatly with
all users, login seperately also. that may solve problem. try it.

Rotwang · 06-19-2004, 04:04 PM

Quote:

Originally posted by penguin4
Rotwang; ? how or why two email progs? if needed then use seperatly with
all users, login seperately also. that may solve problem. try it.

Well, the reason I want to let users use both pine and a pop client is so they can check their email:

1. with a rich client like eudora or outlook
and
2. from anywhere by logging in (instead of having to reconfig outlook on whatever PC they're on).

Not sure what you mean by use seperately with all users login seperately.

I was trying to figure out what Rekna is talking about... but I gave up and (sort of) solved it another way:

You can config pine to load a different email box. So, for each user I create two accounts- one that can't login, which is used for email, and one that can login. The one that can login can run pine and load the other user's mailbox.

Works great except the problem is, I still have to figure out how to do permissions so that only those two user accounts and the mail group can access the mailbox. Which I think means I have to create a new group for every user too, plus add the mail user to it every time, that will be annoying..

penguin4 · 06-19-2004, 04:49 PM

Rotwang; just as u stated last post; since u r root then config permission
for each usr as u choose. ???

Rotwang · 06-20-2004, 06:17 PM

Yea that's what I'll have to do, it just sucks because for every person who uses the server I'll need:

1. two accounts: one login, one not,
2. a new group, which both accounts are a member of
3. to add the "mail" user to the new group.

It's very annoying. But it's the only way I've been able to figure out.