How to use a shared account with RBAC?
in [Solaris]
|
Prev: Is this syntax right for converting static -> shared libs?
Next: Looking for feedback on Oracle Solaris Studio Express 6/10
From: Gary Mills on 16 Jul 2010 09:21 I understand that we can set up a role account and give that account additional privileges with RBAC, and that users can't log in directly to the role account. We want users to be forced to `su' to the role account to obtain the privileges so that this action will be logged. This is all fine. However, they have to know the password for the role account in order to `su' to it. Is there a way in RBAC to permit them to provide their own password instead, or not use a password at all? This behavior would be more convenient for us. As an example, we want each DBA to log in to a database server with their own account. Then they can `su' to the oracle user to assume that identity and the associated privileges. We will then have a record of that activity. If they just logged in as oracle, we wouldn't know who it was. -- -Gary Mills- -Unix Group- -Computer and Network Services-
From: ITguy on 16 Jul 2010 21:01 > I understand that we can set up a role account and give that account > additional privileges with RBAC, and that users can't log in directly > to the role account. We want users to be forced to `su' to the role > account to obtain the privileges so that this action will be logged. > This is all fine. > > However, they have to know the password for the role account in order > to `su' to it. Is there a way in RBAC to permit them to provide their > own password instead, or not use a password at all? This behavior > would be more convenient for us. Remove the password from the role: # passwd -d <role> Change "/etc/default/login" from: PASSREQ=YES to PASSREQ=NO Make sure all other accounts have passwords, as it is no longer required for login! # passwd -sa | grep NP Users assigned to the role can now "su" to it with no password.
From: Gary Mills on 16 Jul 2010 21:32
In <a3575f04-e674-4ea4-b375-06415393cafe(a)j8g2000yqd.googlegroups.com> ITguy <southallc(a)gmail.com> writes: >> However, they have to know the password for the role account in order >> to `su' to it. =A0Is there a way in RBAC to permit them to provide their >> own password instead, or not use a password at all? =A0This behavior >> would be more convenient for us. >Remove the password from the role: > # passwd -d <role> >Change "/etc/default/login" from: > PASSREQ=3DYES > to > PASSREQ=3DNO Ah, that's the clue I needed. -- -Gary Mills- -Unix Group- -Computer and Network Services- |