Sudo as Oracle

jegaraman · July 29, 2015, 10:12am

Dear all ,

Very recently , for audit purpose , we want to avoid generic users like "oracle" for login to our Database Server.
So we create a sudo user "db_user".
But while running sqlplus , we want to switch to user "oracle" and execute it .

Here we dont want to give , password of oracle , rather than ,we need to give sudo password ( which is "db_user" password. )

But sudo to root is possible like "sudo -i"

But sudo to oracle is not possible ,

any ideas please.

Corona688 · July 29, 2015, 10:54am

You will need something in sudo. If not it, then what?

But you can configure sudo to only allow specific users, like db_user, to switch to oracle. You do not need to hand your system a security blank cheque.

rbatte1 · July 29, 2015, 11:53am

Do you mean a sudo user db_user, or a pseudo-user? The former has rules to execute commands with privileges of another account, where the latter is a pretend or non-personal account.

I'm just confused

If you want to login as db_user, but then get it to run commands as oracle, you will need to write a sudo rule to allow that.
It could require the db_user password or no password, but all actions will be attributed to the account db_user.

Would it not be better to have people use a personal account and give them the privilege to run the required commands as account oracle instead?

What sort of commands are you wanting to allow it to run? If it is to start/stop the database instance, this can be done during the boot/shutdown automatically which may be better all round.

Robin

RudiC · July 29, 2015, 12:02pm

I have a faint memory that oracle allows the mapping of OS users to DB internal users. Wouldn't that help?

A.Sakthi · July 29, 2015, 11:02pm

Hi,
If you want to use all the commands and privileges like oracle --> in sudoers file gives permission for db_user to switch to oracle. You can access with " #sudo su - oracle " which will not ask for password.

If you want to run only specific commands --> then give permission for only that commands in the sudoers file.

jegaraman · July 30, 2015, 6:48am

Thanks for all your input , I have solved it by using

sudo -u oracle -i

and then i got the oracle prompt by entering the password of my account db_user....So that logs also get updated ....

Thanks