Disabling user Oracle

[bigdaddy01]

Hello !

I want to stop the dba's from logging in remotly to any solaris box using the user oracle. Yet still allow the user oracle to run on the box fine...

Simlar to root having console access only.

Any idea of how I can do this ??

P.

 

[dbase77]

HI,

set oracle user shell to /bin/nologin. create nologin script that echo some sort of error message to anybody logon as oracle user. Try search this forum as somebody already asked this question before.

feroz

 

[bigdaddy01]

I will have a search on the forum.... This doesnt allow su access on the server and will disable the user oracle completely. Not what I am after, I am just trying to stop remote access for the user oracle. It is for auditing purposes so the user oracle can't be abused.

thanks anyway !

P.

 

[ProudToBeLeeds]

I think you need to set the shell to /bin/pfsh the same as you would if using roles. I have several process run by a gmsadm account which is in fact a role that I assign to senior members of the GMS team who in turn can SU to this account. The process are owend by this role and it cannot be logged into from the outside world. Seems to work OK for me and it should work exactly the same for Oracle stuff I think.

 

[mrn]

Change the passwd and don't tell them it...!

--
| Mike Nixon
| Unix Admin
|
----------------------------

 

[ProudToBeLeeds]

Like your thinking there mrn ;-) Almost as good as setting problem users home directory to /dev/null ;-)

 

[sy5adm1n]

You might be able to get away with setting a * for passwd in the shadow file for oracle, set up sudo for oracle, that way you can sudo/sgu to oracle or su to oracle once on the system if root. I'm using a similar setup for our monitoring group. The monitoring id starts up the scripts at boot time with no problems.

 

[bi]

I have added this to /etc/profile for user oracle on my systems. This prevents direct logging in -- a user can only su - oracle to become oracle. Make sure the DBAs know to use the "-" or their environment won't be set up correctly and they'll blame this script!

Someone on a tek-tips forum posted this a while back.

#===============================================
# Deny application accounts direct login
#===============================================
if [ "`/usr/bin/tty`" != "/dev/console" ]; then
if [ "$LOGNAME" = "oracle" ]; then
#
# Attempt to set /dev/pts# permissions
#
/usr/bin/mesg -n 1>/dev/null 2>&1

#
# Result codes: 0 - receivable, 1 - not receivable, 2 - Error
#
if [ $? -eq 1 ]; then
echo "================================================================= "
echo "Direct login as '$LOGNAME' is NOT AUTHORIZED. Use the su(1M) comma
nd."
echo "================================================================= "
kill -9 $$
else
echo " "
echo "su(1M) to '$LOGNAME' is authorized."
echo " "
fi
fi
fi

 

[bomberman]

Did you look at my previous reply to your mail on 7-16. I have the same problem with sybase and other application logins and the script I posted works for that.

thread60-603975

Tom Pietschmann
DST Systems, Inc.
Kansas City, MO

 

[bigdaddy01]

thanks dude I will test it today !