nologin accounts instead of /bin/ksh

[vg2511]

One of the SA's here is saying to change the application ids we have for oracle , tuxedo to be changed to nologin accounts instead of /bin/ksh.

1)What are the repercussions for this.He is saying we won't be able to login directly but be able to su to the accounts.Is it true.

2)What happens to these account if they are being used by cron jobs having rcp, rsh in them.

Thanks.

 

[bfitzmai]

Another option is to set the default shell to /bin/false.

 

[elgrandeperro]

If "nologin" means to put a '*' in the shadow password crypt text line, I believe that 1 and 2 will still work.

This will still allow network access however, so inbound things that might not require psaswords will still work (ssh keys, rcmds).

If you do a /bin/false, I believe that will break 1 and 2.

gene

 

[Annihilannic]

Solaris RBAC (Role-Based Access Control) is provided to do exactly what you require; basically you define accounts like 'oracle' to be a "role" instead of a "user", and then you define which "user" accounts are allowed to assume that "role".

Annihilannic.