[SunHELP] direct login vs. su
Thu Apr 3 05:48:10 CST 2003
Hello guys/gals;
There are a few ways to stop direct login of generic accounts while let the
accounts to be used via su:
http://www.sunmanagers.org/pipermail/summaries/2002-October/004002.html
In addition to the above items a script can be written to check the user
with a list of users and stop it from direct access.
Since we have variety of Solaris servers (6/7/8) and too many servers indeed
to install sudo on them, scripting was the most desired way to do this.
But I have noticed a problem with it. If for example you choose 'oracle',
the script (which is part of /etc/profile) works fine and won't let oracle
to be used directly while people can su to it from their terminals and it is
perfect! But if you use the su command in startup scripts it won't work.
Basically the conditions of 'su-ing' to an account in startup files is
exactly same as direct login, therefore the account will be stopped to be
processed....
Can someone please clear me how I can address this situation and let this
kind of 'su' happens as well.
I have tried to use different things such as $LOGNAME, who-am-i commands...
and tried to check the parent process also but there are different kind of
connections and keeping track of all of them is a bit difficult. The code we
use is attached if it helps...
Cheers;
-- Sbnm
#/etc/profile
######################
# Stop direct login #
######################
GEN_USERS_FILE=/export/home/admin/generic_users
if [ -f "${GEN_USERS_FILE}" ]
then
GENERIC_USERS=`grep -v "^#" ${GEN_USERS_FILE} | awk '{printf("%s
",$1)}'`
REAL_USER=`/usr/bin/who am i | awk '{print $1}'`
if [ "`echo \" ${GENERIC_USERS} \" | grep \" ${REAL_USER} \"`" ]
then
echo "\nAccount '${REAL_USER}' is a generic account, direct
access is not permitted.\n"
sleep 1
exit
fi
fi
More information about the SunHELP
mailing list