Re: sudo control of root to oracle id.

jerry1 · ‎05-12-2004

Is there is way to configure if a user
uses sudo to su to root. That they will
not be able to su to oracle as the sudo root?
Seems like a strange question but this user
knows they are not to su to oracle using sudo
so they su to root(which they are allowed)
then they su to oracle.

On HP-UX if I su to root. I am root but the
true uid is me when doing a "who am I".
Can't sudo be configured to know that it is
another user running a root and deny them
to su - oracle based on the sudoers file.

I though there was a way to do this.

Navin Bhat_2 · ‎05-12-2004

Not sure if sudo can handle it. But maybe a wrapper around sudo can help the filtering.

A. Clay Stephenson · ‎05-12-2004

You've already given away the keys to the candy store when they become root. Anything you do they can undo --- unless you are relying upon security through ignorance.

If someone can't be trusted, why in the wide world of sports are they given the root password?

If it ain't broke, I can fix that.

Mel Burslan · ‎05-12-2004

once the user changed their effective uid to to zero, i.e., become root user or superuser, there is nothing to prevent them from doing what they want under any conventional unix flavor.

I am not sure why and how you can trust someone with the root capability but still want to prevent them from logging in as oracle.

once the user is root, there are more ways to skin the oracle cat, including but not limited to changing oracle userid's password, logging in and back.

If you think that those people that you trust with root capapbility will misuse their privileges, I would yank their root privileges without blinking my eyes a second time.

________________________________
UNIX because I majored in cryptology...

Marvin Strong · ‎05-12-2004

Don't give the keys to the castle to those that can't be trusted.

However, look into negating the "set_logname" from sudo.

Although not sure how that will work since you allow them to become root. But might be worth looking into.

Sounds to me like its time to yank su access for that user, and make specify all the commands that user can do.

jerry1 · ‎05-12-2004

They had root before I was here.
The admins here did not understand enough
to have the user justify the need.
I plan on taking root away but due to
politics its not going to be a friendly
change. The oracle dba's have told this
person to not su to oracle to make changes
but the person continues to do so.
Studying the logs. The user does not need
root to do their job as an app admin. It is a convenience.

Bill Hassell · ‎05-12-2004

Your management needs to understand that an amateur sysadmin is loose on their computers and with a single command, the entire system can be wiped out. If telling a user not to su to root does not work, that is grounds for termination in my humble opinion. There are plenty of sysadmins that will tell you horror stories about DBAs and other users who should never have had unlimited root privileges. After all, who gets the blame for a broken system, and who has to fix it as fast as possible?

As an alternative, sudo DOES provide the controls necessary to limit these user privileges. Rather than a takeaway option in sudo, you have the option to give commands to selected users. If a user needs to mount/umount a CDROM, not only list just the mount command in sudoers, but specify the acceptable source and destination. Don't ever give vi privileges to a non-sysadmin user--they can edit anything including sudoers and they can escape from vi to a shell with root privileges.

Bill Hassell, sysadmin

Kelsey Petrychyn · ‎05-13-2004

I would have to agree with the raving masses:

Careful who you give root access to.

The main feature of SUDO is allowing root-like access to specific people to do specific tasks without giving full root access.

If I were you I would be asking myself things like:

"Why does this person have root access?"
"Can they do their job without root access?"
"How can I configure SUDO so this person can still do their root-like jobs without actually being root?"

The way things are now, you are trying to "put bars on the windows while leaving the front door wide open".

Sanjay_6 · ‎05-13-2004

Hi,

Once you do sudo to root, you cannot control it. That is why it is the superuser id. It can do sudo to oracle or any id if it wants.

Your only choice is to somehow take the root access from that guy.

Hope this helps.

Regds

Fred Ruffet · ‎05-13-2004

The soluton maybe as simple as running passwd as root :)

Change your root password and when they'll crash on the authentication wall, they'll come at you to gain access again. If you are sys admin, you're not here to be loved.

As Clay said, they should never have been given the root password. So take it back.

Regards,

Fred

--

"Reality is just a point of view." (P. K. D.)

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: sudo control of root to oracle id.

sudo control of root to oracle id.