Answering all this gets a little complex, let's see how well I can do.

First, to clear this all up a little, this is not a web service.
The machine in question is running DG/UX, it's not one I administer or even really use. The system is one that no one has a shell account on other then a few admins. The users login and are directed into a menu based application (for healthcare).

I got involved over some security concerns on the system (I noticed it had open NFS shares) and started asking some basic security questions. There were several problems, notably that it's not using shadow passwords, and that the current method for resetting user passwords on the system is by logging in as "resetpassword" which then prompts you for the account to reset. The current "resetpassword" has no password. (insert loud bells and whistles going off here)

Shadow passwords was an easy one to convince them on, they turned them on. Which broke their current "resetpassword" method.

So since I am the one who suggested all of this, I've been asked to provide a replacement for the process. I'm free to make it as "secure" as I want using my own devices. However, I don't even have shell access on the box, and I have next to no experience on DG/UX.

That said, I worked with them to a happy medium of keeping the resetpassword account, putting a password on it, and limiting what accounts it can reset. They absolutely will not give the root password out to those who need to reset passwords for users.

Sudo is a nice idea, and I'm familiar with it, but I don't see any indication it will even compile on DG/UX, and the administrator of the system is hesitant to try anything like that. (he's also about 1500 miles away, so communication is poor at best). I do have a request in to him to look at it, but my expectations are low.

Apologies for the long post, but I'm very open to suggestions on how to go about this. My goal is to get this box secure, or at least as secure as I can.