Re: Allowing users to execute shell scripts without seeing password
- From: Joseph Amalraj <joseph@xxxxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Mon, 20 Feb 2006 07:39:06 -0800 (PST)
Basically, the /etc/password file is also a password server.
If the desired script is put in place of the shell, the 7th item of the line.
This userid can be become to an application id.
Users who have to use this script will have to su to it and enter the
application password. It is also possible to limit the number of users who can
su to the application id (this depends on the unix platform).
Joseph Amalraj
Jared Still <jkstill@xxxxxxxxx> wrote:
If the user has read permissions on the password file, as would
be required by this scenario, then nothing is solved.
It does make it much easier for the user to access the passwords
directly, as they are now stored in one place.
A better solution is a password server that stores the passwords
in an encrypted file, authenticates users and allows them to
retrieve only the passwords they are authorized to see.
We are implementing Enterprise Password Server from Argosy
Telecrest to do that for the SA's for server passwords.
I use a password server written in Perl that allows retrieving passwords
from the command line (or in scripts) and has an API for Perl.
Well of course it is written in Perl.
See http://jaredstill.com/books.html
If you get the password server running, ask me and I will supply the
one that works with an encrypted password file.
It has its shortcomings. It should work with certificates rather than a
passphrase stored in a users file. Lack of time and insufficient motivation
have prevented that particular problem from being resolved.
It is however much better than a user-readable password file.
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
Other related posts:
