topic Re: Restricting User Access in Operating System - HP-UX

Restricting User Access

Paul Czetwertynski — Thu, 22 Feb 2001 14:33:23 GMT

Is it possible to restrict certain user accounts from being able to directly telnet into a server. In essence, to force users to SU to the account from a personal account (like what happens when you have a securetty file for root.). I don't want to filter by IP address, but by user name.

For my particular environment, I'm looking to limit our DBAs ability to login directly as "oracle" to the server. I want them to login with their username first, then SU.

Re: Restricting User Access

unixdaddy — Thu, 22 Feb 2001 15:07:25 GMT

Although the OS does not provide this capability directly (there is nothing
similar to /etc/securetty for root), adding the following statements to
/etc/profile or /etc/csh.login should prevent a certain user from
login but allow su - username.

Expand on the "if" statement if there are multiple accounts.

For Bourne and POSIX shells, add the following to /etc/profile:

name=`logname`
if [ $name = username ]
then
echo $name not allowed to login...only su
exit
fi
#end

For C shell, add the following to /etc/csh.login:

set name=`logname`
if ( $name == username ) then
echo $name not allowed to login...only su
exit
endif
#end

Re: Restricting User Access

Dan Hetzel — Thu, 22 Feb 2001 15:36:56 GMT

Darren, Paul,

DBAs usually need the full oracle environment, so they will use 'su -' to become oracle user.

In that case (su -) the /etc/profile and $HOME/.profile are sourced and checking for the oracle user name in one of those files will not help.

AN alternative would be to prevent all login by replacing the password field in /etc/passwd with a string that is a guaranteed no-match, i.e. an asterisk.
In that case, 'su - oracle' can only be issued by root as it won't prompt for a password.
To circumvent this, you could use 'sudo' and allow members of the dba group to issue 'su - oracle'. It won't ask for the oracle user password.

SUDO can be downloaded from the HP Software Archive and Porting Center of from http://www.courtesan.com

Best regards,

Dan

Re: Restricting User Access

Mark Wyckoff — Thu, 22 Feb 2001 16:11:59 GMT

Paul,
Dan's suggestion is right on. I am utilizing the sudo program to allow certain users access to 'application owner' IDs on our systems (i.e. oracle), and it works like a champ. It also gives you additional information about who is using certain IDs, how often, etc. through log files and e-mail to root.

Mark

Re: Restricting User Access

unixdaddy — Thu, 22 Feb 2001 16:32:51 GMT

I'm confused (Isn't hard). I thought the requirement was to stop users from login into oracle directly. The /etc/profile (with amended code)will check that the user attempting to log in isn't oracle. If they therefore log in directly the test will succeed and exit out. If they su then the login name is different and therefore the test will fail allowing login. Is that correct or am I talking out of my hat?

Re: Restricting User Access

Dan Hetzel — Thu, 22 Feb 2001 17:01:15 GMT

Hi Darren,

Don't worry, you're not talking 'out of your hat' (maybe was I ?)
I should have read your answer more carefully. You deserve the 10 points ;-)

Best regards,

Dan

Re: Restricting User Access

james mcintyre_1 — Fri, 23 Feb 2001 20:29:59 GMT

the utility tcpwrapper will allow you to control who can login and from where. it will also control ftp if your intersted.

jim mc.....