which commands need to run as root - only 'vi' or do you need powermt display, nmon , slibclean, lspv to run as root also?
Our oracle-Admin will login via nsh to a oracle-server. On this machine the oracle-admin can all commands excecute with the oracle-id. For the spezial commands:
slibclean (Command on AIX)
the oracle-admin must only run this commands as root without change his role.
I have look for the nsh-command rsu, but whit this commands i can only to permit for all commands with root permissions (rsu -p root command). But this is a secutiry hole.
I think a perfekt way is, wenn i can create a entry in the users.local file so
Now the User with the role "Role"
can execute on this Server:
as root slibclean, nmon, pkgadd
as oracle sqlplus
as wwwrun start the apache with /etc/init.d/httpd2 start
whitout the commands-entry a user can execute all others commands with the mapped system-account. This is only a suggation.
sorry for my bad english
i do not believe that the syntax below is valid for the user.local file.
i do not believe that you can selectively map commands to one account or another.
can you create 2 separate roles for this purpose ?
i have create two roles for the oracle-admins. but for the future, i thing that a good way is, when i can create a role with map on more a one user.
that would be ideal, however, as the product works today, you can map to only 1 local account per role. submit a ticket w/ support asking for this functionality
Was anyone ever able to determine if you could map specific commands to a role in /usr/lib/rsc
this would be very ideal
Yes, you can map the commands to a role, the op wanted to try and map 3 commands to run as root, and 3 to run as oracle in the same user/role entry. That is not possible, but what you specified should work. you can also do this in the gui at the role level by assigning 'command' authorizations in rbac.
Josh, check with Okey. I gave him insight on how to do this a few weeks ago.
Thanks, we have been working together some...we just cant figure out how to allow the OST to run a nsh script, but at the same time not allow nsh access to the servers trhough a comand prompt(which allows for root access)
Hmmm. I have explained this a few times. Is the problem that you guys cannot determine the right set of NSH commands to authorize?
It seems like when we allow for the commands that allow for the script execution that we are also allowing for access via nsh command prompt, so yes i guess we are not getting the right subset of commands?
You need to specifiy only the NSH commands needed in the role. When you do this it essentially places a "deny all" at the end of the list. For example, if I add only the "cp" command to the nsh commands to a role, that is the only NSH command that that role will be able to execute on that server. So, what needs to be determined is what NSH commands the nsh script is executing on the server, and list those as specific NSH authorizations. Does that make sense?
I think the issue is that they need "nsh" command to execute the script, hence also allowing for nsh command line.
The ACL would then be equivalent to this right.
Which in effect would allow all.
No, they shouldn't need the 'nsh' command because that command does not exist on a server with just an agent installed. Nsh scripts are actually just executed on the appserver and, depending on the code inside, execute commands on the target systems.
You want to export and send me the script job you are trying to execute? I will put it in my vm and see what I can mock up.