su - root , without pressing password

shipon_97 · August 9, 2009, 1:23pm

Dear Friends ,

I want to su the root user from a normal user without pressing any password , is it possible ?

Like ,

oracle# su - root
 passwd :

But here I want to directly enter as root user without pressing any password .

I need it , because , I need to run a script where the script is owned by the oracle and in the middle position of the script , I need to su the root user .

Waiting for kind reply ... ...

Scott · August 9, 2009, 2:18pm

Hi.

You can uncomment this line in /etc/pam.d/su:

auth            sufficient      pam_wheel.so trust use_uid

And run the command

usermod -G oracle wheel

This would allow Oracle to su to root without the password. I hope your Sys Admin likes you!!

sparcguy · August 9, 2009, 2:21pm

Hi,

what you want is not possible because it is built this way. If a non-root can become root without giving any password then what the point of passwords?

If oracle can become root then who wants to become oracle when you can be root instead? Then what security is there? ..... Hey who just killed the system do you know? ..... Because everybody on the system is now a superuser hacker?

I dunno whether it will work but if really still want you can try clear the encrypted root password in shadow file, and in password file root:X: change it to root::

But even if it works you will still have problems, because in the middle of your script where you run su - root you will enter a new shell and your script may do nothing.

Scott · August 9, 2009, 2:32pm

I don't think Oracle DBA's are hackers. Generally there should be a good relationship between them - especially in larger organisations.

Sun invented PAM(!), and this solution works, but I certainly wouldn't recommend it for anything other than installing Oracle.

Apart from running root.sh during an installation, I don't really know why the Oracle user would need root access. And root.sh takes about 0.0002 seconds to run, so it would be quicker for the admin to run it than doling out root access!

sparcguy · August 9, 2009, 2:44pm

Woah ... smoke a peace pipe, take a deep breath and count to ten.

I never said Oracle DBA are hackers I was just trying to impress on this guy why su - root without passwords is a bad idea.

sandholm · August 9, 2009, 2:49pm

You may use sudo to accomplish what you need. Ensure you disable the "requiretty" if you need to run sudo in batch (i.e. from a script). Ensure you add the user via the visudoers command, ensure to select NOPASSWD, and specify the command to allow. Each time the authorized user invokes "sudo /some-command" it will be logged.

Scott · August 9, 2009, 4:05pm

Sorry. For whatever reason that didn't quite come out as I intended :o

And you're right, it isn't a great idea.

Cheers

sandholm · August 9, 2009, 5:29pm

I threw together a quickie little example web-page for "Giving Privileges to Users", that demonstrates the use of sudo, as well as the use of expect, for controlling interactive programs in batch. Here's the link:

Giving Privileges to Users ?(Tom's Linux Tip's)?

Hope that helps you!

Tom