I think we've come to a solution: :) su now sets SU_FROM, which is checked by root's .login in the non 'su' case, .login now prints "We recommend creating a non-root account and using su(1) for root access." Thanks to Miles Nordin for the words (I like terse :) David/absolute