From: Harrington, David B (Contractor) (DSCR) (David.Harrington.ctr@dla.mil)
Date: Tue Oct 05 2004 - 09:13:29 EDT
All;
We have a requirement to force all users on our systems who need to run as a
"shared account" to login with their own personal login, and then execute
'su - (shared user ID)' to run as the other ID. This includes the user
oracle.
We have been accomplishing this by making all users default shell /bin/ksh,
and editing the /etc/profile file to execute a "who" command piped to a grep
command, which tests for the name of all of the shared user's ID's. If a
match is made, the user is notified, and denied access. No users have
console access. Access is through SSH. Login with ksh or sh uses the
/etc/profile file; csh does not.
This had been working fine for at least a year, until last Friday (October
1). On Friday, on several machines, this test denied access to all people
attempting to login with a legitimate login. No changes had been made to the
machines involved.
The affected machines are Solaris 8; OS patches are current to about 2
months ago. All the machines run some version of Oracle. Some Oracle
security patches had been installed over the prior week, but no problems
occurred until Friday. We are testing the possibility that these caused the
problem, but results so far do not support this.
Sun patch T116973-03 (Apache) has been applied over the prior two weeks to
all these machines. We removed this patch as part of the testing, but its
removal had no effect.
Has anyone observed anything similar?
Any ideas?
Dave Harrington
Solaris System Administrator - EDS
david.harrington.ctr@dla.mil
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:29:32 EDT