HPE Community
Operating System - HP-UX
1831645 Members
2047 Online
110029 Solutions
New Discussion

Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

 
Darryl Lauderdale
Occasional Contributor

‎11-02-2001 08:44 AM

‎11-02-2001 08:44 AM

Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Need a scripts or some means to prevent specific users, esp. DBA, from telnet as oracle but to login using their personal account and then su -ing to Oracle. I need information for both bourne and C-shell. Seem to me that sometime ago there was a entry for "/usr/bin/sh" and not for "/usr/bin/csh". Need both any help will be appreciated.
0 Kudos
Reply
6 REPLIES 6
Patrick Wallek
Honored Contributor

‎11-02-2001 09:03 AM

‎11-02-2001 09:03 AM

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

We have used sudo to do exactly that.

The way we did it:

Put a * in the passwd field for the oracle ID.

Create a script called 'oracle' or something similar that looks like:

/usr/local/bin/sudo su - oracle

and make it executable.

Then set up sudo so that users can execute that script and voila.

Make sense?
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎11-02-2001 09:13 AM

‎11-02-2001 09:13 AM

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Hi Darryl,

What you can do is disable the login for oracle, but this will disallow all login as oracle. Users can only do a su to oracle. To do this edit /etc/passwd file and put a "*" in tthe 2nd field for oracle.

oracle:*:uid:gid:.....

There is no way to make a set of users being made unable to login as oracle and other set being able to login as oracle through telnet at the same time. I think that is what you are looking for.

If you face any permission problem, you may try looking into "sudo" to give users the superuser capability to run a particual script "oracle" as mentioned above by Patrick.

Hope this helps.

Regds
0 Kudos
Reply
Craig Rants
Honored Contributor

‎11-02-2001 09:15 AM

‎11-02-2001 09:15 AM

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

A place I used to work had something that compared users to a special users list, if the user was not in there then they were give access or not.

If I remember correctly, /etc/profile was modified with an if/then statement to perform this check and let users in or not based on the user name.

Hope this helps.
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Roger Baptiste
Honored Contributor

‎11-02-2001 09:48 AM

‎11-02-2001 09:48 AM

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

hi,

Simple one:
you can add the following check in /etc/profile for
bourne shell

loginid=`logname`
if [ $loginid = oracle ]
then
echo "Only Su login allowed""
exit 1
fi


For CSH, do similar logic
in /etc/csh.login
set loginid=`logname`
if ( $loginid == oracle)
then
echo ""only Su allowed""
exit 1
endif

***

Another method is to
disable oracle account
and setup sudo to login as
oracle.

This is a good security question. Probably a security
guru should be able to come
up with a perfect trick to
do this.

cheers
-raj
Take it easy.
0 Kudos
Reply
Bernie Vande Griend
Respected Contributor

‎11-02-2001 10:57 AM

‎11-02-2001 10:57 AM

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Raj's /etc/profile trick is how I usually do this as it is very simple and easy to keep track of.

If your using a product like PowerBroker or CA's Access Control this is a very easy thing to implement.

Here is a link to a script that someone wrote to do this as well:
http://www.dutchworks.nl/htbin/hpsysadmin?h=3&dn=49762&q=force%20su&fh
Ye who thinks he has a lot to say, probably shouldn't.
0 Kudos
Reply
Michael Tully
Honored Contributor

‎11-02-2001 11:48 AM

‎11-02-2001 11:48 AM

Re: Scripts in preventing certains users(DBA) from logging in directly. Force to "su"

Hi,

The easiest way to do this, it to disable the oracle account. This will allow you to do two things. Force the DBA's to login as themselves and then 'su - oracle' and if you have more than one DBA you can track who did what and when.
I have found over the years that DBA's don't give a rats about security, so place them on a harness.

This is the easiest way, but I am a firm believer in using 'sudo' so look into this, as the DBA's will not.

My 2 cents worth
-Michael (AKA - not a DBA fan)
Anyone for a Mutiny ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.