HPE Community
Operating System - HP-UX
1834530 Members
2934 Online
110069 Solutions
New Discussion

Re: Requiring use of su

 
Tim Maletic
Valued Contributor

‎05-21-2003 05:18 AM

‎05-21-2003 05:18 AM

Requiring use of su

Luis asks in this thread (http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xf2d968da2286d711abdc0090277a778c,00.html) how to control who can su to who. But does anyone know how to require certain accounts to only be accessed via su? E.g., how can I prohibit the "oracle" account from logging in via any login mechanism (telnet, ftp, ssh, rlogin, the console, etc.) but allow other users to su to oracle? (We want this ability so that we can trace who did what as oracle.)

One method would be to lock the password for the oracle account, and configure sudo like:

DBA_GROUP HOST=(oracle) PASSWD:/usr/bin/sh

This would allow DBA's to run /usr/bin/sh as oracle after entering in their own password. Of course, their environment wouldn't be configured correctly, but I could have them exec a script instead that does all that.

Does anyone see other problems with this method? Is there a better way?
0 Kudos
Reply
11 REPLIES 11
Massimo Bianchi
Honored Contributor

‎05-21-2003 05:31 AM

‎05-21-2003 05:31 AM

Re: Requiring use of su

Hi,
i did a similar configuration and it worked fine.

In my scripts i exported all the variables i needed, and there were no problems.

Other way you can enable the additional security in the HPUX from SAM, which enables the logging and also longer passwords.

If the problem is with oracle you can enable additional tracing in the listener and in oracle itself, enabling the proper audit.

HTH,
Massimo
0 Kudos
Reply
john korterman
Honored Contributor

‎05-21-2003 05:42 AM

‎05-21-2003 05:42 AM

Re: Requiring use of su

Hi,
for ksh you could make use of the logname variable, e.g. by putting this in the top of the .profile of the oracle user:
if [ `logname` = oracle ]
then
echo Direct login not allowed for user oracle
exit
fi

this will exit direct oracle logons, but allow su to oracle, if you originally logged in as another user.
Please test it on another account first, as it might impose too many restrictions.

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎05-21-2003 05:42 AM

‎05-21-2003 05:42 AM

Re: Requiring use of su

A way this was done at a previous employer was that we set up a short script:

# cat oracle
su - oracle

We then gave the folks that needed to execute the script permission in sudo. Doing it this way still allows you to set the passwd to a * so that the account is locked to all but su from root, which you then allow from sudo. This method also makes sure the things like .profile get sourced so you don't have as much worry about the environment.

It worked quite well for us.
0 Kudos
Reply
Ken Penland_1
Trusted Contributor

‎05-21-2003 08:29 AM

‎05-21-2003 08:29 AM

Re: Requiring use of su

We have this in our /etc/profile:

who am i | while read Owner Dev Month Day Time
do
export USER=`whoami`
grep -q "$USER" /etc/spec.users
if [ "$?" -eq 0 ]
then
if [ "$Owner" = "$USER" ]
then
echo "$USER user is not allowed to log in directly"
sleep 5
/usr/bin/kill -9 0
fi
fi

This allows users to su - oracle, but not log in directly as the user....or anyone else specified in the spec.users file
'
0 Kudos
Reply
MANOJ SRIVASTAVA
Honored Contributor

‎05-21-2003 08:38 AM

‎05-21-2003 08:38 AM

Re: Requiring use of su

HI Tim


The best way is to trap such users or user in /etc/profile , here is waht we do :
What we do is to restrict diorect logins of SA's and DBA's , we add the following in /etc/profile


loginid=`who am i | awk '{print $1}'`

echo $loginid
if [ $loginid = oracle ]
then
exit
fi

echo $loginid
if [ $loginid = root ]
then
exit
fi
and that way the user don directly log in , and su collects the log as to who su'ed to oracle /root



Manoj Srivastava

0 Kudos
Reply
Tim Maletic
Valued Contributor

‎05-21-2003 09:39 AM

‎05-21-2003 09:39 AM

Re: Requiring use of su

For those of you who are tweaking profiles:
what about FTP and other applications that ignore /etc/profile?
0 Kudos
Reply
john korterman
Honored Contributor

‎05-21-2003 11:24 AM

‎05-21-2003 11:24 AM

Re: Requiring use of su

Hi again,
you can prevent users from establishing ftp connections by adding them to /etc/ftpd/ftpusers

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Reply
Dario_1
Trusted Contributor

‎05-21-2003 11:56 AM

‎05-21-2003 11:56 AM

Re: Requiring use of su

Tim:

Check what Russell found in the following post. Is this what you are looking for?

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x40db68da2286d711abdc0090277a778c,00.html

Regards,

DR
0 Kudos
Reply
Tim Maletic
Valued Contributor

‎05-22-2003 06:01 AM

‎05-22-2003 06:01 AM

Re: Requiring use of su

It seems that PAM would be the logical place to implement this policy. Can this be done with any of the existing PAM modules?
0 Kudos
Reply
Jon Moore
New Member

‎12-03-2003 02:18 AM

‎12-03-2003 02:18 AM

Re: Requiring use of su

Most of the solutions that were proposed recommend adding code to /etc/profile to check the users ID against a file of restricted users. The scipts have the following code:
"if [ some_test ]"

Can someone explain the [ and ] code pieces?

Thanks,
Jon Moore
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎12-04-2003 04:59 PM

‎12-04-2003 04:59 PM

Re: Requiring use of su

&91; is the open square bracket
&93; is the close square bracket

It is one of those things the migrated forum has not yet fully resolve.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.