su - access

11 views
Skip to first unread message

Sree

unread,
Aug 27, 2002, 2:59:09 AM8/27/02
to
Dear Friends,
how to provide su access to oracle user and disable direct logging throught
ssh or telnet.
only for user oracle.On Sun systems.

Rgds

sree

Daniele

unread,
Aug 27, 2002, 9:54:19 AM8/27/02
to

"Sree" <sr...@qnetstaff.com> ha scritto nel messaggio news:akf7tu$q6...@medusa.qualitynet.net...

from man sshd

DenyUsers
This keyword can be followed by a number of user names, separated
by spaces. Login is disallowed for user names that match one of
the patterns. `*' and `?' can be used as wildcards in the pat-
terns. Only user names are valid, a numerical user id isn't rec-
ognized. By default login is allowed regardless of the user
name.

and disable telnet access.

Hi


those who know me have no need of my name

unread,
Aug 27, 2002, 4:08:26 PM8/27/02
to
in comp.security.unix i read:

>"Sree" <sr...@qnetstaff.com> ha scritto nel messaggio
>news:akf7tu$q6...@medusa.qualitynet.net...

>> how to provide su access to oracle user and disable direct logging


>> throught ssh or telnet. only for user oracle.On Sun systems.

disable the oracle user's password, install sudo (available from
sunfreeware.com) and configure it so that the appropriate people can run
programs as the oracle user.

>from man sshd
>
> DenyUsers

which won't stop telnet access. i expect a rejoinder of `well, telnet
shouldn't be enabled anyway!' with which i agree, somewhat, but the op
specifically included it in the requirements so your response is only
partly useful.

--
bringing you boring signatures for 17 years

all mail refused

unread,
Aug 27, 2002, 5:55:15 PM8/27/02
to
In article <akfv74$jso$1...@newsfeed.cineca.it>, Daniele wrote:
>
>"Sree" <sr...@qnetstaff.com> ha scritto nel messaggio news:akf7tu$q6...@medusa.qualitynet.net...

>> how to provide su access to oracle user and disable direct logging throught


>> ssh or telnet.
>> only for user oracle.On Sun systems.

>from man sshd
>
> DenyUsers
>
>and disable telnet access.

Perhaps telnet is wanted for other accounts.

1) consider sudo

2) a custom shell capable of telling how it has been called could exec a
normal shell if called via su and exit otherwise.

Once your users get arbitrary access to the oracle user there's nothing
much to stop them running alternative login arrangements. Apart from
fear of the halon discharge, of course.

--
decoy mail addresses: obtain username via 0x4f/tcp or 0x50/tcp
random words follow - don't take too seriously!
However, he does tend to overlap in places, but there is ambiguity,
assume the issue of RISKS know, many Internet users think that
sometimes we are justified in blaming the victims of an FBI-planted
virus, vague denials.

Gina Towell

unread,
Aug 27, 2002, 5:59:54 PM8/27/02
to
Another option:


Assuming that the login name is "oracle", in /etc/profile wherever you think
appropriate:

if [ `logname` = "oracle" ]
then
echo "This user restricted to su access only."
exit
fi

in /etc/.login (for csh users)

if ( $LOGNAME=="oracle" ) then
echo "This user restricted to su access only."
logout
endif

No requirement to disable telnet in this scenario.

Gina Towell
Unix Administrator

"Sree" <sr...@qnetstaff.com> wrote in message
news:akf7tu$q6...@medusa.qualitynet.net...

those who know me have no need of my name

unread,
Aug 27, 2002, 9:24:07 PM8/27/02
to
in comp.security.unix i read:

[snip borne and csh login script traps denying the "oracle" user access]

>No requirement to disable telnet in this scenario.

provided that rcmd is disabled, otherwise ``rsh -l oracle host sh -i'' is
still an entry point.

Marcel

unread,
Aug 28, 2002, 5:52:17 AM8/28/02
to
Hi Gina,

Your idea works fine as long as the system is very fast...
When someone uses a login script, that sends a cntr-break-character
direct after the login, it could be possible that the exit statement is
not executed, and you break into the shell.
(Try for example a long delay like
...


echo "This user restricted to su access only."

sleep 3
exit
..
When you login and after that do cntr-c, then you are in the shell!!
I used your way of work too, but I sometimes managed to break in!
(without the "sleep 3")
I think that this is a less secure way of working, maybe it helps you
optimizing your systems, otherwise you're warned of this issue!

Greetz,

Marcel

Casper H.S. Dik

unread,
Aug 28, 2002, 10:58:45 AM8/28/02
to
"Sree" <sr...@qnetstaff.com> writes:

On Solaris systems with RBAC (s8+, I think) you can make the oracle
user into a "role"; that disables direct login access to the account
and also allows you to specify which users can su to it.


see user_attr(4) and rbac(5).

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Tim Izod

unread,
Aug 29, 2002, 11:06:17 AM8/29/02
to
[snip]

You may have some luck preventing this with trap. IIRC 'trap "" 2 3'
should intercept signals 2 (Interrupt (^C)) and 3 (Quit). 'trap 2 3' at
the end of the script would cause it to obey ^C and signal 3 again.
--
Tim Izod.

Unix Systems Analyst/ TDM Administrator.

Reply all
Reply to author
Forward
0 new messages