From: Jonathan Williams (jonathw@shubertorg.com)
Date: Wed Aug 06 2003 - 15:28:10 EDT
Hi. I believe I already know the answer to this question, but I was told to ask
here anyway.
Background:
Our systems (alphaserver ES40, ES45, ES80, all running Tru64 5.1B, patchkit 2)
have several user accounts that are shared by many users. For example in order
to start our production application, you have to login as a specific user (let's
call this user "online"). This works just fine, except that the security people
think this is a terrible plan, because anyone can login as this user and do
whatever they want, and we would have no way of knowing which person logged in
as this user--so we won't know who to fire. Makes sense. So one "solution"
proposed by the security people was to have separate logins for each person, and
then make them have to "su" to the "online" user to start the application. This
way we can keep track of who su'ed and when. The only problem with this (well,
I'm sure there are many problems with this) is how to prevent people from
logging straight in as user "online".
Question:
Is there a way to setup a user so they can't be logged in directly, but can be
su'ed to from another user?
Or can anyone think of a better way to have a shared account and still be able
to know who exactly logged in that user? It's almost like we need a second
login or something like that...but anway, I appreciate any suggestions. =P
Jonathan Williams
Unix Systems Administrator
The Shubert Organization, Inc.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:30 EDT