HPE Community
Operating System - HP-UX
1833828 Members
2130 Online
110063 Solutions
New Discussion

Secure Shared Accounts

 
SOLVED
Go to solution
Steve Medrick
Occasional Contributor

‎04-24-2001 06:51 AM

‎04-24-2001 06:51 AM

Secure Shared Accounts

I need a way to have users log in as themselves,
and then access shared accounts (i.e. Oracle,
SIDs under Oracle). If there is some COTS or
some scripting/etc please adivse. We are using
10.20 and 11.0 right now.

Can't use Sudo (as far as I know) as the users have
to stay in the environment rather than just submit
commands to it.

Any help would be appreciated., Tks
It's not the world we need to change, but ourselves.
0 Kudos
Reply
8 REPLIES 8
Vincenzo Restuccia
Honored Contributor

‎04-24-2001 06:56 AM

‎04-24-2001 06:56 AM

Re: Secure Shared Accounts

Edit C script with command can't use,it have chmod 4501.
0 Kudos
Reply
MARTINACHE
Respected Contributor

‎04-24-2001 07:05 AM

‎04-24-2001 07:05 AM

Re: Secure Shared Accounts

Hi,

Why don't you use sudo to do something like "su - oracle" as root ?

Regards,

Patrice.
Patrice MARTINACHE
0 Kudos
Reply
Andrew Maslin
Frequent Advisor

‎04-24-2001 11:10 AM

‎04-24-2001 11:10 AM

Re: Secure Shared Accounts

Another possibility is using rlogin. I don't know if this will work on the same machine or not, but we use it for a terminal for one server to log in on a second server without the extra login step (or a password being required). We put it in the .profile, but it could just as easily be placed in a script. See man rlogin for more info.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎04-24-2001 11:20 AM

‎04-24-2001 11:20 AM

Solution

Re: Secure Shared Accounts

You can use sudo to do an 'su - username'. We use that quite regularly here.

We have a line set up in our sudoers file like:

Cmnd_Alias ORACLE=/usr/uprc/scripts/Oracle

then we set up the users like:

userid machine_name=ORACLE

The Oracle script does the following to switch to the oracle user at a shell prompt and the user can the do whatever he/she needs to do.

#!/bin/sh
if [ `/usr/ucb/whoami` = "root" ]
then
newuser=`basename $0| sed -e "s/^O/o/"`
/bin/echo "Changing to user $newuser"
exec /bin/su - $newuser
else
exec /usr/uprc/bin/sudo /usr/uprc/scripts/`basename $0`
fi

Reply
Shannon Petry
Honored Contributor

‎04-24-2001 12:26 PM

‎04-24-2001 12:26 PM

Re: Secure Shared Accounts

Well, I have seen alot of assumptions. Mostly about running "at" on Windows 98?????? I thought only NT has the "at" command! Setup an FTP Server on 98???

To do this via FTP every couple of minutes is crazy! This is a very tedious mechanism for transfering 1 file( unless it is HUGE!).

Download and install SAMBA, and read the docs. You can use smbclient to access a windows share directly, and therefor write a script to run via cron. Since smbclient is very similar to ftp the smbclient may not be the most effective mechanism.

The most effective method is to create a samba share, and mount that on windblows. have the windblows program dumping a file dump to the mapped drive.

Read the docs for SAMBA, and you will learn all you need. pretty basic though...

If you have to use smbclient, then it is a bit better than ftp, because it is completely control the scripts from the UNIX box, without adding software to windblows!

Read the docs for smbclient, and you'll be off and running...

Regards
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

‎04-24-2001 02:31 PM

‎04-24-2001 02:31 PM

Re: Secure Shared Accounts

If you only want acces to things like Oracle SIDs then the
default Oracle install does what you want. Oracle will allow read access to the files needed to execute things
like SQLPlus, SQLLoader and other command line utilities.
Actual updates to the database are done by processes
running under the Oracle userid.

You may want to open up the udump directories for
access by all users.
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎04-24-2001 04:38 PM

‎04-24-2001 04:38 PM

Re: Secure Shared Accounts

Wow, looks like my post got put in the wrong message! Sorry bout that! What's up with that HP??????????

Anyway, with this one, I agree that you can use sudo to su - oracle. Sudo may be overkill though, if the users already have the password to oracle. If they do, a su '-' oracle loads the environment for the user after the '-' sign.

This may or may not suite your needs however. If it is because you have users running scripts, remember that you can use sudo to have them run the scripts as oracle, just as a binary. sudo is much more flexible than people thing until they use it! :)

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Jim Hendrick
Advisor

‎04-30-2001 04:54 AM

‎04-30-2001 04:54 AM

Re: Secure Shared Accounts

You may have more options with sudo than you are aware. (plus, it comes with source code so if you are brave & careful you can make it do whatever you need)

Pertaining to keeping a standard environment, you can easily set things like PATH, etc. in either the build or the sudoers file.

Good luck.

http://www.courtesan.com/sudo/man/sudoers.html
http://www.courtesan.com/sudo/install.html
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.