I'm sure this is possible:

I do not want everyone who can login to be able to su to root.
How do I limit that to just a few people?

Install the ssh pkg and disable telnet (a must IMHO). By default, only the admin account can su - ,everyone else gets a perm denied. Is that what you're asking.
http://pkg.nl.cobalt.com/packages/raq/4/

Is that what you're asking.Almost. This is good to know. It also changes my question a bit: how can I add an account?


The situation now:
- telnet is disabled,
- ssh1 is disabled,
- ssh2 is up and running,
- tcpwrappers limit access to just a few ip's and deny all others,
- root can't login.

All nicely done, but now I worry. What if I mess up admin's password?! Done that before through ssh, although I'm pretty sure I typed the password correctly (without capslock on).

Accidents do happen, I just don't want the same to happen again.

So what I want is another (unspecified) account who can su,
or else a failsafe method of changing passwords without getting locked out.
So far I've been doing that by starting two shells sessions, su to root , change the passwords, and then try out with one session and keeping the other one logged in as root.

I believe that you can always change the admin/root password from the GUI.

If you change the admin password there, it will replace your root password too.

For Raq's GUI, admin password = root password.

Please tell me if I'm wrong.

You're right, but I absolutely don't want admin and root to have the same password :)

After "resetting" both passwords to be the same, you can ssh to your server and change root's password again to anything you want.

I think this way you avoid having a second user that can su.

Daniel

It's not a disaster. I'll stick to the "old" way of two terminal sessions when changing passwords. I just don't want to lock myself out ever again, hehe

Thanks!

Personally, I don't see the protection with a different pass for root and admin on the Cobalts. If I have the admin pass, I can change the root pass in about 20 seconds via the GUI. Am I missing something?

I've set the immutable bit on the password files. Doesn't that stop people from changing passwords, no matter if they're logged into the GUI as admin?

Then again, anyone who has access to the GUI can destroy a lot of good. Can PAM be disabled on the login thing so another .htpasswd can be used with a different login and password?