Oranew
asked on
How to Change Unix user without su
I used to login to application user (Oracle account) directly but this practice is now stopped
due to audit restrictions.
I need to do 2 steps now to login to Oracle.
1. Login as my own user account
2. do a su to Oracle
How can I automate this process? I mean I still can login as my own account and then it should
automatically log me in as oracle(switch user to oracle).It may be using a script or in the profile settings (.profile etc).
Please advice.
due to audit restrictions.
I need to do 2 steps now to login to Oracle.
1. Login as my own user account
2. do a su to Oracle
How can I automate this process? I mean I still can login as my own account and then it should
automatically log me in as oracle(switch user to oracle).It may be using a script or in the profile settings (.profile etc).
Please advice.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Assuming you are allowed access to sudo, it can be set to whitelist binaries, and therefore limit access. Of course, that depends on which binaries are allowed, since you can get full access if the wrong binaries are included.
For password-related tasks like this, "expect" is a useful tool. You can get it to log on to the remote machine, run the "su - oracle" command, send the password, then use the "interact" expect comand to become interactive. That also allows you to have expect watch the data stream and execute its own form of macro (I used to have a system which required 5 logins to get through the network to the machine I wanted on a customer site - logging out of those 5 machines again took ages, so I had "expect" looking for a particular sequence in my typed text and it would then log out of the machines cleanly to get back to my original machine).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
su still requires the knowledge of a shared account password where sudo does not.
In the case of a shared password sudo without asking for a password might be preferable.
can be done with:
%useoracle ALL = ( oracle ) NOPASSWD: /bin/bash
not exactly my cup of tea... YMMV.
Another option for remote systems is using ssh and using passwordless login using certificates.
Which requires the possession of a certificate (which might be password protected if needed)
In the case of a shared password sudo without asking for a password might be preferable.
can be done with:
%useoracle ALL = ( oracle ) NOPASSWD: /bin/bash
not exactly my cup of tea... YMMV.
Another option for remote systems is using ssh and using passwordless login using certificates.
Which requires the possession of a certificate (which might be password protected if needed)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Which OS? If AIX you can use rbac ( role-based access control). If so, tell me if you need help on this.
ASKER
Thanks to everyone who participated and answered this question.
my OS is not AIX but solaris and also i have all the passwords including root and oracle but my role is oracle dba.
Earlier we used to login directly as oracle but recent audit advised to use own individual accounts and then su to oracle.
i was thinking i will put oracle password in .profile or some other way to avoid this second step
my OS is not AIX but solaris and also i have all the passwords including root and oracle but my role is oracle dba.
Earlier we used to login directly as oracle but recent audit advised to use own individual accounts and then su to oracle.
i was thinking i will put oracle password in .profile or some other way to avoid this second step
So, to recap, you're moving to individual accounts with su/sudo because a security audit recommended it, and you are responding by removing the security benefits this change provides.
Keep us updated on your next audit.
Keep us updated on your next audit.
i would like to see the comment from the auditor on remark #a40822224 as well.
As the whole exercise most probably is meant to enhance security and not lower it.
As the whole exercise most probably is meant to enhance security and not lower it.
There are different ways, must you run as the user oracle presumably to run sqlplus / sysdba?
See if sudo is a viable option.
su requires the password of oracle account, while sudo uses your password to elevate rights if configured /etc/sudoers
Benefit of sudo is that data from the sudo session is logged.