How to Change Unix user without su

I used to login to application user (Oracle account) directly but this practice is now stopped
due to audit restrictions.
I need to do 2 steps now to login to Oracle.
1. Login as my own user account
2. do a su to Oracle

How can I automate this process? I mean I still can login as my own account and then it should
automatically log me in as oracle(switch user to oracle).It may be using a script or in the profile settings (.profile etc).
Please advice.
OranewAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
What are the restrictions?
There are different ways, must you run as the user oracle presumably to run sqlplus / sysdba?
See if sudo is a viable option.
su requires the password of oracle account, while sudo uses your password to elevate rights if configured /etc/sudoers

Benefit of sudo is that data from the sudo session is logged.
Steve BinkCommented:
You can't pass the password to su - it will always try to read from STDIN.  But, you can tell sudo to not require it.  See:

http://sleepyhead.de/howto/?href=sudo

Set NOPASSWD on the user, then add `sudo su` to that user's ~/.bashrc file.

Note that this is bad security.

If this user account is compromised, an attacker will have unfettered access to root.  Sudo will no longer require password confirmation for any sudo sessions from the modified user.
serialbandCommented:
Assuming you are allowed access to sudo, it can be set to whitelist binaries, and therefore limit access.  Of course, that depends on which binaries are allowed, since you can get full access if the wrong binaries are included.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

simon3270Commented:
For password-related tasks like this, "expect" is a useful tool.  You can get it to log on to the remote machine, run the "su - oracle" command, send the password, then use the "interact" expect comand to become interactive.  That also allows you to have expect watch the data stream and execute its own form of macro (I used to have a system which required 5 logins to get through the network to the machine I wanted on a customer site - logging out of those 5 machines again took ages, so I had "expect" looking for a particular sequence in my typed text and it would then log out of the machines cleanly to get back to my original machine).
nociSoftware EngineerCommented:
Expect is bad as well. The root password needs to be put into a script.

sudo with the right line....
in /etc/sudoers

%useoracle ALL = ( oracle ) /bin/bash

will allow:
sudo -u oracle /bin/bash

if a user is member of the Unix group useoracle......
Alternative:

johndoe ALL = (oracle) /bin/bash

will allow the user johndoe  to do sudo -u oracle /bin/bash....
Any command that is allowed as oracle can be specified...

A password is asked..., it's thelogin password for the user that runs the sudo command.
simon3270Commented:
@noci, the password (oracle's, not root's) is only in the script if you put it there.  What I would do is prompt for the user's password (so that the script can log in to the remote machine) and oracle's password (so that the "su" works).  This would still cut out the manual step of changing to the oracle user.

All solutions are a balance of security and convenience.
nociSoftware EngineerCommented:
su still requires the knowledge of a shared account password where sudo does not.
In the case of a shared password sudo without asking for a password might be preferable.

can be done with:
%useoracle ALL = ( oracle ) NOPASSWD: /bin/bash

not exactly my cup of tea... YMMV.
Another option for remote systems is using ssh  and using passwordless login using certificates.
Which requires the possession of a certificate (which might be password protected if needed)
Steve BinkCommented:
I agree with both of you in the sense that this is just a bad idea.  The password protections surrounding su/sudo are in place for a reason, and bypassing them does nothing but weaken a system's security.

That said, if you HAVE to do it, I think NOPASSWD in sudoers in the proper way to go.  And by "HAVE to do it", I mean "it is required for the proper operation of automated scripting and there is no other way around it".  I don't mean "I don't like typing my password each time".  

In this particular example, using login certificates for the oracle user would be preferable to removing the security barrier with NOPASSWD.
simon3270Commented:
I assume that you know the oracle password (since you used to log in directly!), but it's just that you don't want the extra step of typing the "su" command.

"sudo" would be fine, but if accounting has been restricted on the system, you probbaly don't have permission to add sudoers file entries.  If the sysadmins will add them for you, then sudo is indeed a more flexible tool than "su".

If you just want to avoid the manual entry of the "su" command, but are OK entering the oracle password, then just add

    su - oracle -c "/bin/bash"

to the end of the .profile for your account (it may be .bash_profile if you are using bash) (and if you aren't using bash, change the "/bin/bash" to whatever shell you want above).

Then, when you log in to your personal account you will be prompted for the oracle password.  To log out, press Ctrl-D (or type "exit" if you are using a C shell) once to get back to your personal account, and again to log out of the remote machine.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CSIA ANCommented:
Which OS? If AIX you can use rbac ( role-based access control). If so, tell me if you need help on this.
OranewAuthor Commented:
Thanks to everyone who participated and answered this question.
my OS is not AIX but solaris and also i have all the passwords including root and oracle but my role is oracle dba.
Earlier we used to login directly as oracle but recent audit advised to use own individual accounts and then su to oracle.
i was thinking i will put oracle password in .profile or some other way to avoid this second step
Steve BinkCommented:
So, to recap, you're moving to individual accounts with su/sudo because a security audit recommended it, and you are responding by removing the security benefits this change provides.

Keep us updated on your next audit.
nociSoftware EngineerCommented:
i would like to see the comment from the auditor on remark #a40822224 as well.
As the whole exercise most probably is meant to enhance security and not lower it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.