Is there a way to set something like this up:
Mark, Tom and Joe can SSH into the box, ITS and Group2 cannot.
Mark and Tom can SU to Policy, but not ITS
Joe can SU to ITS, but not Policy
To explain the constraints, I'm trying to set suexec up in a group development environment. Since suexec requires that permissions on a file to serve must be no more then 755 and I don't want to distribute shared group user accounts (For two reasons: the obvious insecurities with having multiple people using a single account and that all the individual users are already in place).
Ideally, I would like for Mark, Tom and Joe to each be able to SSH in to the server. Once they have logged in, a script is executed that calls su - Group1/Group2 and they then are able to edit their files.
Thanks in advance.