topic Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su" in Operating System - HP-UX

Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Darryl Lauderdale — Fri, 02 Nov 2001 16:44:11 GMT

Need a scripts or some means to prevent specific users, esp. DBA, from telnet as oracle but to login using their personal account and then su -ing to Oracle. I need information for both bourne and C-shell. Seem to me that sometime ago there was a entry for "/usr/bin/sh" and not for "/usr/bin/csh". Need both any help will be appreciated.

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Patrick Wallek — Fri, 02 Nov 2001 17:03:59 GMT

We have used sudo to do exactly that.

The way we did it:

Put a * in the passwd field for the oracle ID.

Create a script called 'oracle' or something similar that looks like:

/usr/local/bin/sudo su - oracle

and make it executable.

Then set up sudo so that users can execute that script and voila.

Make sense?

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Sanjay_6 — Fri, 02 Nov 2001 17:13:10 GMT

Hi Darryl,

What you can do is disable the login for oracle, but this will disallow all login as oracle. Users can only do a su to oracle. To do this edit /etc/passwd file and put a "*" in tthe 2nd field for oracle.

oracle:*:uid:gid:.....

There is no way to make a set of users being made unable to login as oracle and other set being able to login as oracle through telnet at the same time. I think that is what you are looking for.

If you face any permission problem, you may try looking into "sudo" to give users the superuser capability to run a particual script "oracle" as mentioned above by Patrick.

Hope this helps.

Regds

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Craig Rants — Fri, 02 Nov 2001 17:15:02 GMT

A place I used to work had something that compared users to a special users list, if the user was not in there then they were give access or not.

If I remember correctly, /etc/profile was modified with an if/then statement to perform this check and let users in or not based on the user name.

Hope this helps.
C

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Roger Baptiste — Fri, 02 Nov 2001 17:48:04 GMT

hi,

Simple one:
you can add the following check in /etc/profile for
bourne shell

loginid=`logname`
if [ $loginid = oracle ]
then
echo "Only Su login allowed""
exit 1
fi

For CSH, do similar logic
in /etc/csh.login
set loginid=`logname`
if ( $loginid == oracle)
then
echo ""only Su allowed""
exit 1
endif

***

Another method is to
disable oracle account
and setup sudo to login as
oracle.

This is a good security question. Probably a security
guru should be able to come
up with a perfect trick to
do this.

cheers
-raj

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Bernie Vande Griend — Fri, 02 Nov 2001 18:57:21 GMT

Raj's /etc/profile trick is how I usually do this as it is very simple and easy to keep track of.

If your using a product like PowerBroker or CA's Access Control this is a very easy thing to implement.

Here is a link to a script that someone wrote to do this as well:
http://www.dutchworks.nl/htbin/hpsysadmin?h=3&dn=49762&q=force%20su&fh

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Michael Tully — Fri, 02 Nov 2001 19:48:44 GMT

Hi,

The easiest way to do this, it to disable the oracle account. This will allow you to do two things. Force the DBA's to login as themselves and then 'su - oracle' and if you have more than one DBA you can track who did what and when.
I have found over the years that DBA's don't give a rats about security, so place them on a harness.

This is the easiest way, but I am a firm believer in using 'sudo' so look into this, as the DBA's will not.

My 2 cents worth
-Michael (AKA - not a DBA fan)