First, thank you to everyone that replied. You guys are AWESOME! I received a great number of replies. My original question, followed by a synopsis of the replies I received are below. We will use either item number 1 or number 3 in the list of suggestions below. -- Darryl -----Original Message----- To: sunmanagers@sunmanagers.org Subject: limiting login to su Managers, Is there a way to force an su to a username rather than the user being available via direct login? We would like to have people log in as themselves and have to su to oracle, rather than them having the ability to log in as oracle directly. We're running Solaris 8. ______________________________________________ I received the following recommendations: 1. Lock the password, then force the use of sudo (e.g., 'sudo su - oracle'). Do a google search for more info. 2. One way is to make the home dir of the user (i.e. oracle) non-writable to the owner and then place a .profile in there that does a "trap "" 2; exit". Anyone doing a direct login will run the .profile and exit out. This won't stop "r" commands unless you shut them off. 3. Since you're running Solaris 8, you can use RBAC (Role Based Access Control) to do this. Create oracle as a role and assign that role to the users you want to be able to access it. The OE documentation will give you the details on how to do this. (Then, one respondent sent instructions on how to use RBAC. He said the following:) you can make oracle a role with solaris 8 or 9's /etc/user_attr table. add this to /etc/user_attr: oracle::::type=role;auths=solaris.*,solaris.grant;profiles=All usertousesu::::type=normal;auths=solaris.system.dat;roles=oracle;profile s=All Only these users can su to oracle. 4. We had the same problem with some generic user accounts. Our systems only have access via openssh, so I was able to add 'DenyUsers oracle' parameter to the sshd_config file. This has worked fine for us. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Oct 18 11:30:38 2002
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:56 EST