SUMMARY: limiting login to su

From: Darryl Pace <datpace_at_earthlink.net>
Date: Fri Oct 18 2002 - 11:44:03 EDT
First, thank you to everyone that replied.  You guys are AWESOME!  I
received a great number of replies.  My original question, followed by a
synopsis of the replies I received are below.  We will use either item
number 1 or number 3 in the list of suggestions below.

-- Darryl


-----Original Message-----
To: sunmanagers@sunmanagers.org
Subject: limiting login to su

Managers,
            Is there a way to force an su to a username rather than the
user being available via direct login?  We would like to have people log
in as themselves and have to su to oracle, rather than them having the
ability to log in as oracle directly.  We're running Solaris 8.
 
______________________________________________

I received the following recommendations:

1. Lock the password, then force the use of sudo (e.g., 'sudo su -
oracle').  Do a google search for more info.

2. One way is to make the home dir of the user (i.e. oracle)
non-writable to the owner and then place a .profile in there that does a
"trap "" 2; exit". Anyone doing a direct login will run the .profile and
exit out. This won't stop "r" commands unless you shut them off.

3. Since you're running Solaris 8, you can use RBAC (Role Based Access
Control) to do this.  Create oracle as a role and assign that role to
the users you want to be able to access it. The OE documentation will
give you the details on how to do this.

(Then, one respondent sent instructions on how to use RBAC.  He said the
following:)

you can make oracle a role with solaris 8 or 9's /etc/user_attr table.

add this to /etc/user_attr:

oracle::::type=role;auths=solaris.*,solaris.grant;profiles=All
usertousesu::::type=normal;auths=solaris.system.dat;roles=oracle;profile
s=All

Only these users can su to oracle.


4. We had the same problem with some generic user accounts. Our systems
only have access via openssh, so I was able to add 'DenyUsers oracle'
parameter to the sshd_config file. This has worked fine for us.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Fri Oct 18 11:30:38 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:56 EST