Individual usernames for the same login account

Hi

There is an application installed on a server, that has a unique login account, but many users are using it with the same login name! How can we overcame this by creating individual accounts for the same application login account?

Maybe I misunderstood, but you already answered it yourself?

No, everybody, uses the same login name to log into the application, there is no way who did what, maybe my english is not that perfect as its not my first language

Is that because the appplication, as UID is the only one with write permission on the application files?
Creating new UIDs will not solve your problem, and creating new accounts with same UID will have side effects from time to time...
Either you create a group for that apps and add the users in it AND group has write perms, so a directory would look like rwxrws--x etc...
or you force those users to use sudo and change a passwd so they cant log to that account anymore

And of course there is always the possibility to use RBAC...

1 Like

Check if the below helps
If you want to log the details about who did what, try capturing the OS level username.
Even though you login as different user,

who am i

will give you the OS user

if I

su

will I be able to track that particular user activity?

---------- Post updated at 11:46 AM ---------- Previous update was at 11:43 AM ----------

what I really want is single login accounts to please audit guys..

What I think you need to do is:

Set each user up their own account.

Put all these users into a new group (vbe already said that).
This allows you to set file permissions for the group as a whole.

You can set these users to all have the same home directory (so that they all land in the application directory, and execute the same profile, etc), when they login.

(I assume that the application already tolerates multiple logins so handles the file locking, etc for multiple users).

to audit activity, dont know but you can use something like this in that particular .profile:

# Set history on:
  HISTFILE=$HOME/.history_of.$LOGNAME.$$
  export HISTFILE

Either you take of $$ and have a history per user or use $$ to have a session history, but that means maybe a lot of tidying up on very regular basis

The best way to handle this kind of situation is to implement SUDO or RBAC.

RBAC will need a considerable effort and study though i have not seen/worked on any RBAC implementations.

SUDO is the easiest of all and the logging can be customized and routed to a separate log file. sufficient restrictions can be built into the configurations too.

Providing a application account password to a multiple users is the most dangerous way of giving access. if one user is to be removed access then you would have to reset password and provide the new one to every other user.

Implementing these king of restrictions is easy with SUDO/RBAC.

Since the post is old, hope you might have found a way already.

Good Luck ! :b:

Aren't you self contradicting with both of these statements?

---------- Post updated at 11:03 ---------- Previous update was at 10:40 ----------

There are several ways to allow different Solaris users to run your application with the shared login account. However, there would be no simple way, if any, to sort out who did what using the application unless the application logs record a session id for each event.

In the worst case scenario, i.e. two users login in and lauching the application at the very same time, you won't be able to sort them out.

As for how to do it, RBAC and sudo have already be suggested, which one to pick will beyond other factors depend on what Solaris release you are using (10 or 11).

Can you describe what the users sees/does after the login? Are they locked in to the application or dropped to the command line?

If the application absolutely has to run as that user, then I'd be very tempted to set up individual accounts with a common group give them all a sudo privilege (by OS group) to allow them to all execute the specific command:-

sudo su - appl_id -c "/path/to/application parm1 parm2 ...."

I think you would add something like this with visudo:-

%user_group ALL=(root) NOPASSWD: su - appl_id -c "/path/to/application parm1 parm2 ...."

You can them script a simple startup script, a simple menu or force them all to run this at login so they are help within the application. Logging within the application is another matter though, but who am i will give you the real logged in user account. Don't be confused with whoami though. This may just give you the current process owner, in this case the application account.

Robin

Beware that sudo is not part of a standard Solaris 10 (and older) installation so it might not be available on your system. On the other hand, RBAC is standard so here is the RBAC way to implement a similar feature:

  • add the following line to /etc/security/prof_attr
MyApplication:::Allows multiple users to run my application:
  • these ones to /etc/user_attr
testuser1::::profiles=MyApplication
testuser2::::profiles=MyApplication
  • and finally, that one to /etc/security/exec_attr
MyApplication:suser:cmd:::/path/to/application:uid=appl_id;egid=appl_id

With these settings, both testuser1 and testuser2 will be able to run the "application" command as appl_id with this command:

$ pfexec /path/to/application
2 Likes