topic Re: Secure Shared Accounts in Operating System - HP-UX

Secure Shared Accounts

Steve Medrick — Tue, 24 Apr 2001 13:51:11 GMT

I need a way to have users log in as themselves,
and then access shared accounts (i.e. Oracle,
SIDs under Oracle). If there is some COTS or
some scripting/etc please adivse. We are using
10.20 and 11.0 right now.

Can't use Sudo (as far as I know) as the users have
to stay in the environment rather than just submit
commands to it.

Any help would be appreciated., Tks

Re: Secure Shared Accounts

Vincenzo Restuccia — Tue, 24 Apr 2001 13:56:54 GMT

Edit C script with command can't use,it have chmod 4501.

Re: Secure Shared Accounts

MARTINACHE — Tue, 24 Apr 2001 14:05:35 GMT

Hi,

Why don't you use sudo to do something like "su - oracle" as root ?

Regards,

Patrice.

Re: Secure Shared Accounts

Andrew Maslin — Tue, 24 Apr 2001 18:10:51 GMT

Another possibility is using rlogin. I don't know if this will work on the same machine or not, but we use it for a terminal for one server to log in on a second server without the extra login step (or a password being required). We put it in the .profile, but it could just as easily be placed in a script. See man rlogin for more info.

Re: Secure Shared Accounts

Patrick Wallek — Tue, 24 Apr 2001 18:20:27 GMT

You can use sudo to do an 'su - username'. We use that quite regularly here.

We have a line set up in our sudoers file like:

Cmnd_Alias ORACLE=/usr/uprc/scripts/Oracle

then we set up the users like:

userid machine_name=ORACLE

The Oracle script does the following to switch to the oracle user at a shell prompt and the user can the do whatever he/she needs to do.

#!/bin/sh
if [ `/usr/ucb/whoami` = "root" ]
then
newuser=`basename $0| sed -e "s/^O/o/"`
/bin/echo "Changing to user $newuser"
exec /bin/su - $newuser
else
exec /usr/uprc/bin/sudo /usr/uprc/scripts/`basename $0`
fi

Re: Secure Shared Accounts

Shannon Petry — Tue, 24 Apr 2001 19:26:43 GMT

Well, I have seen alot of assumptions. Mostly about running "at" on Windows 98?????? I thought only NT has the "at" command! Setup an FTP Server on 98???

To do this via FTP every couple of minutes is crazy! This is a very tedious mechanism for transfering 1 file( unless it is HUGE!).

Download and install SAMBA, and read the docs. You can use smbclient to access a windows share directly, and therefor write a script to run via cron. Since smbclient is very similar to ftp the smbclient may not be the most effective mechanism.

The most effective method is to create a samba share, and mount that on windblows. have the windblows program dumping a file dump to the mapped drive.

Read the docs for SAMBA, and you will learn all you need. pretty basic though...

If you have to use smbclient, then it is a bit better than ftp, because it is completely control the scripts from the UNIX box, without adding software to windblows!

Read the docs for smbclient, and you'll be off and running...

Regards
Shannon

Re: Secure Shared Accounts

Bill Thorsteinson — Tue, 24 Apr 2001 21:31:12 GMT

If you only want acces to things like Oracle SIDs then the
default Oracle install does what you want. Oracle will allow read access to the files needed to execute things
like SQLPlus, SQLLoader and other command line utilities.
Actual updates to the database are done by processes
running under the Oracle userid.

You may want to open up the udump directories for
access by all users.

Re: Secure Shared Accounts

Shannon Petry — Tue, 24 Apr 2001 23:38:30 GMT

Wow, looks like my post got put in the wrong message! Sorry bout that! What's up with that HP??????????

Anyway, with this one, I agree that you can use sudo to su - oracle. Sudo may be overkill though, if the users already have the password to oracle. If they do, a su '-' oracle loads the environment for the user after the '-' sign.

This may or may not suite your needs however. If it is because you have users running scripts, remember that you can use sudo to have them run the scripts as oracle, just as a binary. sudo is much more flexible than people thing until they use it! :)

Regards,
Shannon

Re: Secure Shared Accounts

Jim Hendrick — Mon, 30 Apr 2001 11:54:09 GMT

You may have more options with sudo than you are aware. (plus, it comes with source code so if you are brave & careful you can make it do whatever you need)

Pertaining to keeping a standard environment, you can easily set things like PATH, etc. in either the build or the sudoers file.

Good luck.

http://www.courtesan.com/sudo/man/sudoers.html
http://www.courtesan.com/sudo/install.html