HPE Community
Operating System - HP-UX
1847821 Members
4511 Online
104021 Solutions
New Discussion

Re: Security

 
SOLVED
Go to solution
Tim D Fulford
Honored Contributor

‎02-23-2001 02:43 AM

‎02-23-2001 02:43 AM

Security

I know about /etc/securetty restricting root's login ttys/console, however is there a similar file for each user? I have some common application logins which are quite powerful (database, application etc). I would like to force users to login as themselves then su to the appliaction login i.e.
login: joe_blog
Password: ********
% su - informix
....
This should allow me to find out what users(people, not apps) did what!
Cheers
-
0 Kudos
Reply
5 REPLIES 5
Ralf Bosz_2
Occasional Advisor

‎02-23-2001 03:12 AM

‎02-23-2001 03:12 AM

Re: Security

But this at the end of the user .profile (or in the /etc/profile):

if [ $rechtstreeks = user ];then
echo "Access Denied, use su - user"
exec sleep 5
exit
fi

Oh and just a reminder, user search next time, I got this from a search (I thought of something likewise but didn't use logname)
0 Kudos
Reply
Ralf Bosz_2
Occasional Advisor

‎02-23-2001 03:15 AM

‎02-23-2001 03:15 AM

Solution

Re: Security

Seem to forget a line which goes above the others ;)

rechtstreeks=`/usr/bin/logname`

(p.s. rechtstreeks is a Dutch word voor "straight" so you can make-up your own variable here)
Reply
Jon Gittoes
Occasional Advisor

‎02-25-2001 09:01 PM

‎02-25-2001 09:01 PM

Re: Security

Is this the only method of resticting login? I'm used to AIX, where you can set login=no and rlogin=no, surely there must be a better equivalent than putting something in the .profile?

Thanks

Jon. ( I have the same requirement as the original poster)
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-25-2001 09:11 PM

‎02-25-2001 09:11 PM

Re: Security

The way we have done this is to use sudo and to set the password of the appropriate account as an invalid password (like a *). We then set up a script (or alias) for the users so that when they type oracle, it does a 'sudo su - oracle' and then asks for their password. Also via sudo you can control who does and does not have access to the script.

Doing this also makes sure that no one logs in directly as the application id, but forces you to do an su.
0 Kudos
Reply
Tim D Fulford
Honored Contributor

‎06-18-2001 08:32 AM

‎06-18-2001 08:32 AM

Re: Security

Many Thanks for the replies

It took me a while to clear this one up! sorry, I'm using Ralf's method. It is not what we want exactly but it has similar functionality.

Sudo is a definite contender for the future, but one step at a time

Again many thanks all

Tim F
-
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.