Allow group of users to su to a locked administrative account.

• Previous message: ElHarti, Hicham: "installupdate Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 28 Dec 2004 11:33:52 -0500
To: tru64-unix-managers@ornl.gov

Hello All!

First want to say that I hope all has had a wonderful holiday season.

Also want to say that I did find one solution to the problem that I have, but the solution was not that clear to me. Hopefuly Chris Ford is still a member of the list.

Here is the task that I am working on:

I have serveral UNIX Tru64 servers with Oracle Administrative accounts. What I want to do, is locked down the oracle admin account so no direct login can be done to this account, but will allow the dba's to log in as themselves, then su to the oracle admin account.

I'll cut and past the solution that I found below, and if anyone knows how to incorporate the use of the /etc/securettys file, or has another way of doing this, I'd greatly appricate the help.

I have already tried locking a test account then attempting to su to the test account. Per the man page for su, this is not allowed, and I have found this to be true.

Thanks,

David Stacks
Sr. System Analyst
Entergy Corp.
(870) 543-5436
dstacks@entergy.com

***************************************************************************

Solution that I found:

[SUMMARY] Preventing application account access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SUMMARY] Preventing application account access

  To: "Tru64-Unix-Managers@xxxxx Gov (E-mail)" <tru64-unix-managers@xxxxxxxx>
  Subject: [SUMMARY] Preventing application account access
  From: "Roberts, Blake" <broberts@xxxxxxxxx>
  Date: Thu, 15 Aug 2002 15:40:57 -0500
  Delivered-to: tru64-unix-managers@sws1.ctd.ornl.gov
  Followup-to: poster
  Sender: tru64-unix-managers-owner@xxxxxxxx
  Thread-Index: AcJEigcoPesPw3PMQeWW+Hymt0/x0AAASHegAAQnmwA=
  Thread-Topic: Preventing application account access

Thanks goes to Chris Ford (Chris.Ford@acxiom.com)

To do this properly, there is no easy way. You have to make an addition to the profile of
 each user (will probably add it to /etc/skel) and call a script which reads a file similar
 to /etc/securettys. I tested the solution, and it works like a champ!

Best regards,
--Blake Roberts
UNIX Systems Administrator
ERCOT-Austin
512.225.7178
512.695.5071 (cell)

-----Original Message-----
From: Roberts, Blake
Sent: Thursday, August 15, 2002 1:42 PM
To: Tru64-Unix-Managers@Ornl. Gov (E-mail)
Subject: [ADDENDUM] Preventing application account access

I forgot to mention, I have sudo installed on the system, but I have not found a way for it
 to prompt me for the password of the administrative account. Since, by default anyway,
 it prompts for your own password, if the user's password is compromised (by writing it down
 and leaving it on their desk, etc), there is no way to keep people away from the big accounts.

--Blake

-----Original Message-----
From: Roberts, Blake
Sent: Thursday, August 15, 2002 1:32 PM
To: Tru64-Unix-Managers@Ornl. Gov (E-mail)
Subject: Preventing application account access

Folks,

I'm running a Tru64 5.1 PK5 Enhanced Security environment. Per a new (and decent) password
 policy that is being implemented, I need to restrict the application admin accounts so that
 they will su from a personal account to the administrative account (such as oracle), similar
 to what you need to do if root is locked down properly.

My problem is, in base security, if I lock the account, you can log in as a user, then su to
 it just fine. In enhanced security, you can't do that. It needs to be unlocked to be able
 to log into it. Does anyone know of a trick, edauth flag, etc, that needs to be set for the
 account to be able to be su'd to, but not directly logged in to?

Best regards,

--Blake Roberts
UNIX Systems Administrator
ERCOT-Austin
512.225.7178
512.695.5071 (cell)

__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

• Previous message: ElHarti, Hicham: "installupdate Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: ADMIN Shut Down ... is there anyway of preventing a user shutting down the pc ... logged on whilst an admin account is logged on but locked. ... >> but their workstation is locked. ... >> it possible to create a warning instead stating they do ... (microsoft.public.windowsxp.security_admin) Re: Disable %logonserver% browsing ... DC in use, is a relatively unimportant part of the fix, and preventing one ... I was wondering if there is a group policy setting that can be applied ... logged into it and then created an account and ... (microsoft.public.windows.group_policy) SUMMARY: Allow group of users to su to a locked administrative account. ... This will allow users to su to the account, ... >Preventing application account access ... >Switch to Netscape Internet Service. ... (Tru64-UNIX-Managers) How to delete ghost preference file? ... causing an error which prevented me from migrating my account to a new ... But now this file is in the trash, and I still can't get rid of ... it no matter what I do, and it's STILL preventing me from migrating ... the account to the new computer. ... (comp.sys.mac.system) IIS 5.0 and Netscape Authentication ... under IIS 5.0 in a Windows 2000 Active Directory. ... Netscape 4.x and IE 5.x running on a client or local to the server. ... Now under IIS Manager create a website that that uses the "testwebsite" ... "test" user account is a valid user account and authentication is complete. ... (Focus-Microsoft)