14 Replies Latest reply on Mar 11, 2010 10:02 AM by Adam Bowen

    Role creating

    Jens Heilmann

      Hi all,


      i search a way to create a role for a oracle-Admin. In our Env the oracle admin have the rights to execute commands vi sudo as root. This commands are powermt display, nmon , slibclean, lspv and so. Now i can create a role with this


      OracleAdmin:user1 rw,map=oracle


      But, how can i insert the spezial commands with root enable in this role ?


      Can i starting two nsh-shells on one client with different roles ?


      So that i create

      OracleAdmin:user1 rw, map=oracle

      OracleRoot:user1 rw,map=root,commands=nmon:powermt display:slibclean:lspv


      Sorry for my bad english.




      Jens Heilmann

        • 1. Re: Role creating
          Bill Robinson

          which commands need to run as root - only 'vi' or do you need powermt display, nmon , slibclean, lspv to run as root also?

          • 2. Re: Role creating
            Jens Heilmann

            Hi all,


            Our oracle-Admin will login via nsh to a oracle-server. On this machine the oracle-admin can all commands excecute with the oracle-id. For the spezial commands:


            powermt display


            slibclean (Command on AIX)


            and more


            the oracle-admin must only run this commands as root without change his role.


            I have look for the nsh-command rsu, but whit this commands i can only to permit for all commands with root permissions (rsu -p root command). But this is a secutiry hole.


            I think a perfekt way is, wenn i can create a entry in the users.local file so


            Role:User rw,map=root:commands=slibclean,nmon,pkgadd,map=oracle:commands=sqlplus,ls,map=wwwrun:commands=httpd2




            Now the User with the role "Role"


            can execute on this Server:


            as root slibclean, nmon, pkgadd


            as oracle sqlplus


            as wwwrun start the apache with /etc/init.d/httpd2 start


            whitout the commands-entry a user can execute all others commands with the mapped system-account. This is only a suggation.


            sorry for my bad english




            Jens Heilmann

            • 3. Re: Role creating
              Bill Robinson

              i do not believe that the syntax below is valid for the user.local file.


              i do not believe that you can selectively map commands to one account or another.


              can you create 2 separate roles for this purpose ?

              • 4. Re: Role creating
                Jens Heilmann



                i have create two roles for the oracle-admins. but for the future, i thing that a good way is, when i can create a role with map on more a one user.




                Jens Heilmann

                • 5. Re: Role creating
                  Bill Robinson

                  that would be ideal, however, as the product works today, you can map to only 1 local account per role. submit a ticket w/ support asking for this functionality

                  • 6. Re: Role creating

                    Was anyone ever able to determine if you could map specific commands to a role in /usr/lib/rsc


                    SMC_MECH_test:Joshua.Kerr                   rw,map=root,commands=passwd:nexec.....etc


                    this would be very ideal




                    • 7. Re: Role creating
                      Bill Robinson

                      Yes, you can map the commands to a role, the op wanted to try and map 3 commands to run as root, and 3 to run as oracle in the same user/role entry.  That is not possible, but what you specified should work.  you can also do this in the gui at the role level by assigning 'command' authorizations in rbac.

                      • 8. Re: Role creating

                        Josh, check with Okey. I gave him insight on how to do this a few weeks ago.

                        • 9. Re: Role creating

                          Thanks, we have been working together some...we just cant figure out how to allow the OST to run a nsh script, but at the same time not allow nsh access to the servers trhough a comand prompt(which allows for root access)



                          • 10. Re: Role creating

                            Hmmm. I have explained this a few times. Is the problem that you guys cannot determine the right set of NSH commands to authorize?

                            • 11. Re: Role creating

                              It seems like when we allow for the commands that allow for the script execution that we are also allowing for access via nsh command prompt, so yes i guess we are not getting the right subset of commands?




                              • 12. Re: Role creating

                                You need to specifiy only the NSH commands needed in the role. When you do this it essentially places a "deny all" at the end of the list. For example, if I add only the "cp" command to the nsh commands to a role, that is the only NSH command that that role will be able to execute on that server. So, what needs to be determined is what NSH commands the nsh script is executing on the server, and list those as specific NSH authorizations. Does that make sense?

                                • 13. Re: Role creating

                                  I think the issue is that they need "nsh" command to execute the script, hence also allowing for nsh command line.


                                  The ACL would then be equivalent to this right.   

                                  Allow ALL

                                  Deny ALL


                                  Which in effect would allow all.

                                  • 14. Re: Role creating

                                    No, they shouldn't need the 'nsh' command because that command does not exist on a server with just an agent installed. Nsh scripts are actually just executed on the appserver and, depending on the code inside, execute commands on the target systems.


                                    You want to export and send me the script job you are trying to execute? I will put it in my vm and see what I can mock up.