With the su command you can switch to any user on system, if you know his password.. Example: "su - root" switches to the root user.
This way the profile of the user (here root) will be loaded and you will get the rights of root. But if you enter "su root" (without "-") you just get the rights of root, but you don't actually load his profile..
Now I need a way, so that the user can't use the command without the "-". Example: "su - root" is possible and "su root" should not be possible!
Has anybody got an idea, how I can solve this problem?
you can restrict them from the command buy you cant restrict them from the options of the command.
I can't phantom why you would want to do this.
You could set up a script or executable to replace the su command so that it gets executed instead, looks for the $1 option and if it's a - , removes it before sending the information to the real su
# mv /bin/su /bin/oldsu
# cp /mynewsu /bin/su
# su - joeuser
Your script would have to be able to receive the two parameters.
Logic would remove the -, and then run /bin/oldsu with the parameter joeuser (if there was no userid, then root).
Of course, a person that can list /bin could see the /bin/oldsu and run it directly. There would be no real way to get rid of that problem.
Your best bet would be to get sudo or some other program. Also any upgrades or patches added to the server may replace your su program.
But this could possibly be done. I have never done it but it's one idea. I wouldn't recommend it even though I put it out here.
I've just thought of that idea, after I posted here.. Thanx anyway, it works!
IMHO, I think you need to restrict root access more. But that's just me. 
Also, typically you don't need to use su - root. You can just type su - and this will fault to root, at least on HPUX. You only need to specify su - username for any other user besides root. Again this is my experience on HPUX.
Your answer is to alias su to su -, which you probably already figured out. You can overwrite a command by aliasing it. When you remove the alias the original command takes over again.
alias su=`su -`#syntax depends on OS version #those are backtics
Kelam,
Setting a alias such as you suggest brings about a problem - if the alias is set and the user still does su -, the system will think the user wants to su - to userID - (which it then informs you does not exist).
medusa% alias su 'su -'
medusa% su
Password:
Sun Microsystems Inc. SunOS 5.8 Generic February 2000
[root@medusa]:/root
# exit
medusa% su -
su: Unknown id: -
You at least read the post more carefully than I as I thought the PzYon wanted it so they could not do su -. The logic in the script could still be done. The alias solution might work but a more intracate solution would be needed.
something in a script would be more reliable. Then you could take whatever was entered after "su" as variables.
You would have to move the su binary somewhere out of the PATH and then create a script in the original location called "su".
Then anything after the command will be read as input which you can then force the result you want by coding it in a script.
This should be fairly easy to do probably only 20 lines or so.
My 2K anyway.
If anybody is interested, this is how I solved it on Friday...
rav=${3:+1}
var=${2:+1}
if [[ $1 = "-" ]]; then
if [[ $rav -eq 1 ]]; then
su-orig - $2 $3;
else
su-orig - $2;
fi
else
if [[ $var -eq 1 ]]; then
su-orig - $1 $2;
else
su-orig - $1;
fi
fi
Renamed the original su to su-orig and put this script (named su) into /usr/bin
By the way, I'm just using this temporarily, to test out a few things.. Soon we'll get sudo.
added code tags for readability --oombera