RE: Question regarding sudo equivalents

From: "Dimensional DBA" <dimensional.dba@xxxxxxxxxxx>
To: <fnantes@xxxxxxxxx>, <pete.sharman@xxxxxxxxxx>
Date: Thu, 16 Jun 2016 10:20:47 -0700

Most of the time when a third party app is requested instead of the
functionality offered by the OS it is for other compliance reason, such as
central management and reporting of rights across the organization.

Matthew Parker

Chief Technologist

Dimensional DBA

425-891-7934 (cell)

D&B 047931344

CAGE 7J5S7

Dimensional.dba@xxxxxxxxxxx

<http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew Parker's
profile on LinkedIn

www.dimensionaldba.com <http://www.dimensionaldba.com/>

From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On ;
Behalf Of Fernando N. de Souza
Sent: Thursday, June 16, 2016 6:25 AM
To: pete.sharman@xxxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: Re: Question regarding sudo equivalents

Peter,

All our db servers run on Solaris. Our sysadmins configured the oracle user as
a role (RBAC) and granted the dbas the ability to type "su - oracle" in order
to login as oracle. That was how we did it, until we went to OEM 12c and needed
to do things like patching and other tasks that require agent authentication.
OEM does not support authenticating into the oracle user when it is configured
as a role. After some back and forth with the sysadmins and a decree from
management, sudo was installed on all Solaris servers.

In our case, it would be very helpful if OEM supported authentication and
privilege delegation to an oracle user configured as a role. It would eliminate
the need to install sudo on our Solaris servers. I'm a big fan of sudo, but
it's not needed in our environment because Solaris RBAC provides the same
functionality.

According to the sysadmins, RBAC accounts have advantages like preventing
remote connections directly into the oracle account, better auditing, etc. But
I'm not a sysadmin and can't give much details on that.

I hope it helps.

--

Fernando.

To educate a man in mind and not in morals is to educate a menace to society.

Theodore Roosevelt

On Mon, Jun 13, 2016 at 7:08 PM, Peter Sharman <pete.sharman@xxxxxxxxxx> wrote:

Folks

Got a question for you which you can answer on or off-list depending on your
preferences - that is, if you want to answer at all! J

If you need secured access to root (i.e. sudo-like functionality) what are you
using to get that access?  The reason I’m asking is because I was on a call
with a customer this morning and they said sudo was old hat and no-one in their
industry uses it any more.  Now that’s the first I’ve heard of that, as just
about every customer I’ve dealt with apart from this particular customer is
using sudo quite happily.  I occasionally run across PowerBroker, but that’s
about it.  I’d be interested to find what people are using, particularly since
Enterprise Manager supports sudo or PowerBroker to get this functionality, and
if people are moving away from that we need to look at broadening what we
support in the product.

Thanks!

Pete

Oracle logo

Pete Sharman
Database Architect, DBaaS / DBLM
Enterprise Manager Product Suite
33 Benson Crescent CALWELL ACT 2905 AUSTRALIA

Phone:  <tel:+61262924095> +61262924095 | | Mobile: +61414443449
<tel:%2B61414443449>
Email:  <mailto:pete.sharman@xxxxxxxxxx> pete.sharman@xxxxxxxxxx  Twitter:
@SharmanPete  LinkedIn: au.linkedin.com/in/petesharman
Website: petewhodidnottweet.com

  _____

"Controlling developers is like herding cats."

Kevin Loney, Oracle DBA Handbook

"Oh no, it's not, it's much harder than that!"

Bruce Pihlamae, long term Oracle DBA

  _____

References:
- Question regarding sudo equivalents
  - From: Peter Sharman
- Re: Question regarding sudo equivalents
  - From: Fernando N. de Souza

RE: Question regarding sudo equivalents

Other related posts: