I have a set of RHEL 5 boxes running our ERP software on Oracle databases. I need to allow my DBA's to su to oracle and one other account (banner) without knowing the oracle or banner password. But I need to prevent them from su'ing to any other user especially root. I only want them to be able to switch to the oracle user or the banner user. I've recreate the accounts on a test system to try and work through my confusion and better understand how to use sudo before implementing it on my production systems.
Typically the user changes to these accounts like this:
>sudo su - oralce
They are then prompted to enter their own password and it lets them in. The problem is that they can use the command to become root, or any other user, as well.
I have a group on my system (enterpriseapps) which contains the users I want to grant access to. I edited my /etc/sudoers file. Here's how it looks:
Code:
User_Alias DBA = %enterpriseapps
Runas_Alias ORACLE = oracle, banner
#Cmnd_Alias SU = !/bin/su -, !/bin/su *root*, !/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - oracle, /usr/bin/su - banner, /bin/su - oracle, /bin/su - banner
Cmnd_Alias SU = /usr/bin/su - oracle, /usr/bin/su - banner, /bin/su - oracle, /bin/su - banner
%sysadmin ALL=(ALL) ALL
DBA ALL=(ORACLE) NOPASSWD: SU
So, if I understand it correctly, users in the DBA User_Alias should be able to run from any system (ALL) as users in the ORACLE Runas_Alias with NOPASSWD and they should only be able to run the commands in the SU Cmnd_Alias. Of course, I have my sysadmin group setup so that they can become root.
So I configured my Cmnd_Alias two different ways but they both give me same result:
Quote:
[jonesc@rhcsa03r5v ~]$ sudo su - oracle
[sudo] password for jonesc:
Sorry, user jonesc is not allowed to execute '/bin/su - oracle' as root on rhcsa03r5v.lamar.edu.
|
I've been researching this for days now and still having issues. Anybody got any ideas about what I'm missing here? I'm sure I have misconfigured, just can't see the error.
