HPE Community
Operating System - HP-UX
1826337 Members
4082 Online
109692 Solutions
New Discussion

focring users to su to a specific ID

 
SOLVED
Go to solution
denise_7
Frequent Advisor

‎09-09-2002 12:40 PM

‎09-09-2002 12:40 PM

focring users to su to a specific ID

I want to be able to force users to log into their personal account first, then su to a specific ID (Developers) to execute scripts. In other words, I don't want the users to log into as Developer first. I know there is some way to set up su, but forgot how. Thanks.
0 Kudos
Reply
8 REPLIES 8
MANOJ SRIVASTAVA
Honored Contributor

‎09-09-2002 01:14 PM

‎09-09-2002 01:14 PM

Solution

Re: focring users to su to a specific ID

Hi Denise


this is how we do it for root and oracle :


loginid=`who am i | awk '{print $1}'`
echo $loginid
if [ $loginid = oracle ]
then
exit
fi

echo $loginid
if [ $loginid = root ]
then
exit
fi
These lines are to be added in /etc/profile
You can change the id to whatever you want to restrict , then the suer will ahve to su to the the id .


Manoj Srivastava
Reply
Rodney Hills
Honored Contributor

‎09-09-2002 01:33 PM

‎09-09-2002 01:33 PM

Re: focring users to su to a specific ID

You might be able to use group permissions. If you only allow the scripts to be executable by a specific group (say group "developer"), then after the users login, then they could enter "newgrp developer" to become a member of the developer group.

You could even put a password on developer by putting the encrypted password into field 2 of /etc/group. Then all the developers would have to know that password.

This way they can keep their UID number for their terminal session. Using "su", all users would have the same UID.

My 2 cents...

-- Rod Hills
There be dragons...
0 Kudos
Reply
Jordan Bean
Honored Contributor

‎09-09-2002 01:52 PM

‎09-09-2002 01:52 PM

Re: focring users to su to a specific ID


You can prevent direct login of all users (or primary groups) listed in a special text file by testing the ownership of the assigned tty during login by adding either of these to /etc/profile.

# If you are a restricted user and you own
# the assigned tty, then die.
if grep -Fq $(id -un) /etc/nodirectlogin
then
if [ -O $(tty) ]
then
echo 'Direct login denied.'
exit 1
fi
fi

or

# If you are a member of a restricted group
# and you own the assigned tty, then die.
if grep -Fq $(id -gn) /etc/nodirectlogin
then
if [ -O $(tty) ]
then
echo 'Direct login denied.'
exit 1
fi
fi

0 Kudos
Reply
john korterman
Honored Contributor

‎09-09-2002 11:24 PM

‎09-09-2002 11:24 PM

Re: focring users to su to a specific ID

Hi,

for a user called flipflop, you could prevent direct logon by adding this to flipflop's .profile:

if [ `logname` = flipflop ]
then
echo Direct login not allowed for user flipflop
exit
fi


regards,
John K.
it would be nice if you always got a second chance
Reply
James Ellis_1
Super Advisor

‎09-17-2002 12:05 PM

‎09-17-2002 12:05 PM

Re: focring users to su to a specific ID

I will have to get back to you on this as I am looking into this myself. I'll let you know what we do and how we solved this. Good luck!

"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
denise_7
Frequent Advisor

‎09-23-2002 06:57 AM

‎09-23-2002 06:57 AM

Re: focring users to su to a specific ID

Manoj and John,

Being out of programming for a while (C++), I had to review some things. But Shell programming is rather simple yet I cannot figure this out. Your two suggestion to put in the /home/userid/.profile does not work. The error I get is:

${HOME:-.}/.profile[28]: [userid=userid]: not found

It looks like its a parameter passing error or something like that. The error of userid=userid seem to not comparing correctly.

Thanks.
0 Kudos
Reply
Deshpande Prashant
Honored Contributor

‎09-23-2002 07:16 AM

‎09-23-2002 07:16 AM

Re: focring users to su to a specific ID

HI
Use following to restrict direct login as well as allow only authorized developers (Listed in /etc/oracle.allow file) to "su" to oracle.
####
user=`logname`;
sulog="/var/adm/sulog"
TTY="`tty | cut -d/ -f3`"
date=`date "+%m/%d %H:%M"`

if [ ${user} = "oracle" ]
then
echo " : Direct login Not Allowed..."
echo "ERR ${date} - ${TTY} ${user}-oracle" >> ${sulog}
exit
fi
else
grep ${user} /etc/oracle.allow > /dev/null 2>&1
if [ ${?} -ne 0 ]
then
echo " : ${user} is NOT ALLOWED TO LOGIN AS Oracle"
echo "ERR ${date} - ${TTY} ${user}-oracle" >> ${sulog}
exit
fi
fi

#--
Thanks.
Prashant.
Take it as it comes.
0 Kudos
Reply
MANOJ SRIVASTAVA
Honored Contributor

‎09-23-2002 07:18 AM

‎09-23-2002 07:18 AM

Re: focring users to su to a specific ID

Hi denise


This is to be put in /etc/profile and not in $HOME/USER/.profile


so that it runs for all users.


Manoj Srivastava
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.