any way to use SU command without prompt for password

myelvis · November 16, 2003, 8:07pm

Hi,
First i want to tell you i am not a administrator and everytime to run a sqlscritpt i have to login as SU in a particular account to connect to sqlplus..

I want to write a script which can make me free by doin this .. since i am having the permission for SU i want to know if i can SUDO into that particular account without getting a prompt for entering password ... Is there a way i can provide password to SU so that it doesn't give me password prompt..

Thanks for any help you can provide me in this ....

norsk_hedensk · November 16, 2003, 8:26pm

take a look and see if you have the 'sudo' program installed on your system. sudo can do this and its configuration is controlled by the /etc/sudoers file. it is easy to set up.

kduffin · November 17, 2003, 1:29am

You should always identify which platform you are working with. There are often facilities that are particular to the OS that may accomplish a desired task. For example, Solaris has the RBAC facility that can authorize a user to execute a program with an effective uid.

I'd be extremely cautious in what you are describing. You don't want to sacrifice security for ease of use. There are other options such as setuid with extended ACLs (setfacl) or if it is a job that will run as a scheduled job, running it out of root's cron.

Cheers,

Keith

myelvis · November 17, 2003, 9:24am

Hi guys ,

Thanks for the reply and sorry for not letting you the flavour of UNIX i am working on ..

I am on SUN solaris 5.7 ....

I do have the sudo installed but don't have access to view the /etc/sudoers file .

My point is if i am authorize to do a particular thing then i should be able to do it within my login ... Looking for a way to do it ...

I will take care of the security issue ....
See if u can help me out
c ya

kduffin · November 17, 2003, 9:29am

Sun Solaris makes it easy. It has a built in called RBAC (Role Based Access Controls). Do a man on user_attr, exec_attr and prof_attr. I'll drop a FAQ in a day or so for RBAC without the SMC.

Cheers,
Keith

myelvis · November 17, 2003, 1:57pm

Hi Keith,

Thanks for letting me know about RBAC.But sadly i don't seem to have any man entry for either of these : user_attr, exec_attr and prof_attr.

Don't really know what exactly these are .. Would be great if you could tell me abt these attributes in detail ..

Really appreciate your help

Take care

kduffin · November 17, 2003, 5:11pm

RBAC is a sadly under used facility in Solaris. The nice thing about RBAC is that if you are using auditing to meet C2 compliance, the audit trail is maintained, whereas such tools as sudo don't address BSM options in Solaris and break the audit trail. I don't have 5.7 running anywhere (just 8/9), so I'd take a close look at the file formats before following my example.

Oops - there's the call for dinner. I'll post the example tonight. Typically you administer RBAC from the SMC, but I don't like it and tend to leave it off and edit the files directly. You can grab some blueprints from sun.com/bigadmin.

Cheers,

Keith

Neo · November 17, 2003, 7:27pm

Keith,

Please edit your posts and remove the URL and your email address from all posts. URLs can be posted only if you are pointing to documents, etc.that are part of the post. Email sigs are not allowed. Sorry, that is the rules for all. If folks want to see your site or find your email address they can look at your profile.

i have edited a few, but leave it up to you to edit all the rest.

Thanks for your cooperation. Neo