HPE Community
Operating System - HP-UX
1834504 Members
3118 Online
110068 Solutions
New Discussion

Allow only SU to a specific user id

 
SOLVED
Go to solution
Nellian Solaiappan
Frequent Advisor

‎03-10-2005 03:37 AM

‎03-10-2005 03:37 AM

Allow only SU to a specific user id

Hi All
Im running informix on HP-UX 11.0 and since the user id informix on this box has maximum rights on the database, I need to disable logging in to the server directly as informix. Instead I need to allow only certain users to login and then su to informix. can this be done?
I will greatly appreciate any help.
Regards
Nell
0 Kudos
6 REPLIES 6
john korterman
Honored Contributor

‎03-10-2005 03:46 AM

‎03-10-2005 03:46 AM

Re: Allow only SU to a specific user id

Hi,
one way is to put this into the .profile of the informix user:

#!/usr/bin/sh
if [ `logname` = "informix" ]
then
echo "direct login not allowed"
exit
fi

assumed that the informix user reads .profile, of course.
regards,
John K.
it would be nice if you always got a second chance
0 Kudos
RAC_1
Honored Contributor

‎03-10-2005 03:52 AM

‎03-10-2005 03:52 AM

Re: Allow only SU to a specific user id

Above code will work, but has a problem.
Is any user does "su - informix" .profile of informix user will get executed and it will exit. This code will take care of not allowing direct logins and not allowing su - informix too. (su informix will work because .profile of informix will not get executed)

sudo looks your option. Install sudo and configure all those users to get su - informix.
visudo to edit sudoers file.
like

user1 (informix) "sudo - informix"

Also you will have to move the code above to /etc/profile to disallow direct logins.
There is no substitute to HARDWORK
0 Kudos
john korterman
Honored Contributor

‎03-10-2005 08:43 AM

‎03-10-2005 08:43 AM

Re: Allow only SU to a specific user id

Hi again,
The code suggested in my first posting will actually not prevent a logged in user from executing â su â informixâ , assumed that the user´s logname does not expand to â informixâ .
However, RAC's suggestion looks like the better in the long run.

it would be nice if you always got a second chance
0 Kudos
Mark Nieuwboer
Esteemed Contributor

‎03-10-2005 11:38 PM

‎03-10-2005 11:38 PM

Solution

Re: Allow only SU to a specific user id

Stil this al the above doesn't prevent user login.

put this in /etc/profile
# custom code for denying generic account login
if logname > /dev/null 2>&1
then
LGNM=`logname`
if egrep "^${LGNM}$" /etc/not_loginable > /dev/null 2>&1
then
echo "\nDirect login not allowed for $LGNM\n"
echo "\nNO remote login allowed for $LGNM (`date '+%D %T'`)\n" |
logger -p user.err -t NOT_LOGINABLE
exit 1
fi
fi

create the file /etc/not_loginable
put the user informix in it.

then in /etc/security add the following line
SU_INFORMIX_GROUP=(groupname informix)

put the user which you want that the can su to the user in the group you names it above.

this will work.

grtz. Mark
0 Kudos
john korterman
Honored Contributor

‎03-11-2005 06:53 AM

‎03-11-2005 06:53 AM

Re: Allow only SU to a specific user id

Hi again,
The code suggested in my first posting will actually not prevent a logged in user from executing â su â informixâ , assumed that the user´s logname does not expand to â informixâ .
However, RAC's suggestion looks like the better in the long run.

it would be nice if you always got a second chance
0 Kudos
Nellian Solaiappan
Frequent Advisor

‎03-14-2005 02:47 AM

‎03-14-2005 02:47 AM

Re: Allow only SU to a specific user id

Thans guys!
Marks solution has worked out best for me. :) Im pretty sure sudo would be a sure shot solution too but for now since I'm not planning to migrate to sudo rightaway, I'm settling for Mark's solution.

Nell
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.