HPE Community
Operating System - HP-UX
1833709 Members
2650 Online
110063 Solutions
New Discussion

sudo control of root to oracle id.

 
jerry1
Super Advisor

‎05-12-2004 07:33 AM

‎05-12-2004 07:33 AM

sudo control of root to oracle id.

Is there is way to configure if a user
uses sudo to su to root. That they will
not be able to su to oracle as the sudo root?
Seems like a strange question but this user
knows they are not to su to oracle using sudo
so they su to root(which they are allowed)
then they su to oracle.

On HP-UX if I su to root. I am root but the
true uid is me when doing a "who am I".
Can't sudo be configured to know that it is
another user running a root and deny them
to su - oracle based on the sudoers file.

I though there was a way to do this.
0 Kudos
Reply
9 REPLIES 9
Navin Bhat_2
Trusted Contributor

‎05-12-2004 07:36 AM

‎05-12-2004 07:36 AM

Re: sudo control of root to oracle id.

Not sure if sudo can handle it. But maybe a wrapper around sudo can help the filtering.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎05-12-2004 07:44 AM

‎05-12-2004 07:44 AM

Re: sudo control of root to oracle id.

You've already given away the keys to the candy store when they become root. Anything you do they can undo --- unless you are relying upon security through ignorance.

If someone can't be trusted, why in the wide world of sports are they given the root password?
If it ain't broke, I can fix that.
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎05-12-2004 07:47 AM

‎05-12-2004 07:47 AM

Re: sudo control of root to oracle id.

once the user changed their effective uid to to zero, i.e., become root user or superuser, there is nothing to prevent them from doing what they want under any conventional unix flavor.

I am not sure why and how you can trust someone with the root capability but still want to prevent them from logging in as oracle.

once the user is root, there are more ways to skin the oracle cat, including but not limited to changing oracle userid's password, logging in and back.

If you think that those people that you trust with root capapbility will misuse their privileges, I would yank their root privileges without blinking my eyes a second time.

________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Marvin Strong
Honored Contributor

‎05-12-2004 07:55 AM

‎05-12-2004 07:55 AM

Re: sudo control of root to oracle id.

Don't give the keys to the castle to those that can't be trusted.

However, look into negating the "set_logname" from sudo.

Although not sure how that will work since you allow them to become root. But might be worth looking into.

Sounds to me like its time to yank su access for that user, and make specify all the commands that user can do.


0 Kudos
Reply
jerry1
Super Advisor

‎05-12-2004 08:17 AM

‎05-12-2004 08:17 AM

Re: sudo control of root to oracle id.

They had root before I was here.
The admins here did not understand enough
to have the user justify the need.
I plan on taking root away but due to
politics its not going to be a friendly
change. The oracle dba's have told this
person to not su to oracle to make changes
but the person continues to do so.
Studying the logs. The user does not need
root to do their job as an app admin. It is a convenience.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-12-2004 02:46 PM

‎05-12-2004 02:46 PM

Re: sudo control of root to oracle id.

Your management needs to understand that an amateur sysadmin is loose on their computers and with a single command, the entire system can be wiped out. If telling a user not to su to root does not work, that is grounds for termination in my humble opinion. There are plenty of sysadmins that will tell you horror stories about DBAs and other users who should never have had unlimited root privileges. After all, who gets the blame for a broken system, and who has to fix it as fast as possible?

As an alternative, sudo DOES provide the controls necessary to limit these user privileges. Rather than a takeaway option in sudo, you have the option to give commands to selected users. If a user needs to mount/umount a CDROM, not only list just the mount command in sudoers, but specify the acceptable source and destination. Don't ever give vi privileges to a non-sysadmin user--they can edit anything including sudoers and they can escape from vi to a shell with root privileges.


Bill Hassell, sysadmin
0 Kudos
Reply
Kelsey Petrychyn
Occasional Advisor

‎05-13-2004 02:41 AM

‎05-13-2004 02:41 AM

Re: sudo control of root to oracle id.


I would have to agree with the raving masses:

Careful who you give root access to.

The main feature of SUDO is allowing root-like access to specific people to do specific tasks without giving full root access.

If I were you I would be asking myself things like:

"Why does this person have root access?"
"Can they do their job without root access?"
"How can I configure SUDO so this person can still do their root-like jobs without actually being root?"

The way things are now, you are trying to "put bars on the windows while leaving the front door wide open".
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎05-13-2004 02:51 AM

‎05-13-2004 02:51 AM

Re: sudo control of root to oracle id.

Hi,

Once you do sudo to root, you cannot control it. That is why it is the superuser id. It can do sudo to oracle or any id if it wants.

Your only choice is to somehow take the root access from that guy.

Hope this helps.

Regds
0 Kudos
Reply
Fred Ruffet
Honored Contributor

‎05-13-2004 04:37 AM

‎05-13-2004 04:37 AM

Re: sudo control of root to oracle id.

The soluton maybe as simple as running passwd as root :)

Change your root password and when they'll crash on the authentication wall, they'll come at you to gain access again. If you are sys admin, you're not here to be loved.

As Clay said, they should never have been given the root password. So take it back.

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.