HPE Community
Operating System - HP-UX
1837195 Members
2369 Online
110114 Solutions
New Discussion

Restricting direct login access to non-root user

 
SOLVED
Go to solution
Dan Early
Occasional Contributor

‎11-25-2003 01:36 AM

‎11-25-2003 01:36 AM

Restricting direct login access to non-root user

Is there a way to disable remote login access for a non-root user (a DBA), so the user is required to login with an individual account and su to the DBA ID?
0 Kudos
Reply
7 REPLIES 7
Graham Cameron_1
Honored Contributor

‎11-25-2003 01:48 AM

‎11-25-2003 01:48 AM

Re: Restricting direct login access to non-root user

Yes, we do just this to prevent dba's logging in as oracle.
They have to login as themselves and then su - oracle, so we have a audit trail.

We do this by putting the following lines into /etc/profile:

trap "" 1 2 3
who -m >/dev/null 2>&1
if [ "$?" = "0" ]
then
TSTUSR=`who -m | cut -f1 -d" " | cut -c1-6`
if [ "$TSTUSR" = "oracle" ]
then
echo -------------------------------------
echo STOP! Do not logon directly as oracle
echo Do an SU in future please
echo -------------------------------------
exit
fi
fi
Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done.
0 Kudos
Reply
Ken Penland_1
Trusted Contributor

‎11-25-2003 01:51 AM

‎11-25-2003 01:51 AM

Re: Restricting direct login access to non-root user

If you have more than one special user that you want to keep out of logging in directly, you can create a special users file, and check against that file also...so a variation of the above would be this, also located in /etc/profile:

export USER=`whoami`
grep -q "$USER" /etc/spec.users
if [ "$?" -eq 0 ]
then
if [ "$Owner" = "$USER" ]
then
echo "$USER user is not allowed to log in directly"
sleep 5
/usr/bin/kill -9 0
fi
fi
'
0 Kudos
Reply
john korterman
Honored Contributor

‎11-25-2003 01:53 AM

‎11-25-2003 01:53 AM

Solution

Re: Restricting direct login access to non-root user

Hi,
there is an old trick: make use of the korn shell's logname, e.g. insert in the beginning of .profile:

#!/usr/bin/sh
if [ `logname` = "oracle" ]
then
echo "direct login not allowed"
exit
fi


this will make direct login impossible for the oracle user.

regards,
John K.

it would be nice if you always got a second chance
Reply
Ken Penland_1
Trusted Contributor

‎11-25-2003 01:54 AM

‎11-25-2003 01:54 AM

Re: Restricting direct login access to non-root user

whoops, disreguard the Owner part, I forgot to take that out, that is some additional code that is not nesissary for what you are doing...
'
0 Kudos
Reply
RAC_1
Honored Contributor

‎11-25-2003 01:57 AM

‎11-25-2003 01:57 AM

Re: Restricting direct login access to non-root user

Put some code in /etc/profile.

trap "" 1 2 3
login_id=`logname`

if [ $login_id = "oracle cccount"]
then
echo "No direct logins allowed, use user login and do su to oracle"
exit
There is no substitute to HARDWORK
0 Kudos
Reply
Tim Sanko
Trusted Contributor

‎11-25-2003 02:42 AM

‎11-25-2003 02:42 AM

Re: Restricting direct login access to non-root user

Well there are several ways. the first way is to cheat. I would not allow login to the login id oracle. (I am assuming you would want to do it this way, and are using oracle.

Have the user execute a script login_oracle. This script sets the oracle ID's password to a known password it also has the setuid bit set so that the script can be run as though the user is root. At the same time it sets the oracle password, it does an su to oracle, does a typescript, and when exited, e-mails root with the typescript file.

Along the way you will need to do several little things such as setting ignore break so the DBA can't actually get beyond the typescript.

Tim

When oracle_userID isn't active. the password field has an asterisk in it(no login).

Then to activate the account set the known password.

We have a security officer who builds the accounts and who can activate special users/vendors in this manner


Hope that is a help.

Tim
0 Kudos
Reply
Benjamin Shayne
New Member

‎04-12-2004 02:55 PM

‎04-12-2004 02:55 PM

Re: Restricting direct login access to non-root user

I noticed these were all ksh. At the end of /etc/csh.login, I execute the following script called /etc/login_check.csh:
#!/bin/csh -f

set login_id=`logname`
if ($login_id == 'sybase') then
echo "No direct logins allowed. Use [su - sybase] instead"
set pid = `ps | grep "csh" | sed 's/^ *//' | cut -f1 -d" "`
kill -9 $pid
endif
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.