RE: "oracle" lockdown

  • From: "Powell, Mark" <mark.powell2@xxxxxx>
  • To: "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 26 Feb 2014 20:43:50 +0000

I do not think items and #1 and #3 are an issue since I have worked on systems 
like that, but I am not sure about item #2, "no shell."  What exactly does that 
mean?


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Herring, David
Sent: Wednesday, February 26, 2014 3:20 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: "oracle" lockdown

Folks,

Our team is about to be placed in a more challenging situation where the OS 
account "oracle" will be locked down in the following ways:

1)  No direct logons.
2)  No shell can be created by "oracle".
3)  Execution as "oracle" can be done by DBA accounts using: "sudo -u oracle 
<cmd>".

I'm tasked with coming up with a test plan for each environment converted over 
to this configuration.  While I can come up with the various commands we 
typically use off a consolidation of ~/.bash_history on all servers, I'm 
concerned about the environment when running "sudo - u oracle".  I'm told that 
there's no guarantee on what env variables will be set so if I expect any 
particular values I'll have to put it all in a script, since we can't run 
multiple commands on one line (like "sudo -u oracle export ORACLE_SID=dave; 
export ORAENV_ASK=NO; .oraenv; ...").

My first thought is we'll need some sort of wrapper script, with arguments for 
the ORACLE_SID and command line to run.  Has anyone run into this type of 
situation and if so how did you handle it?  There's still no word on how we're 
going to manage interactive installs.  I feel like I'm on the Indians in the 
movie "Major League".

Dave Herring

--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l


Other related posts: