I understand where you are going with this Don't think about su - oracle directly A sudo -u oracle -H isn't quite what you are looking for either because you want the environment vaiables to auto load and oracle dbas can be ( not all but many) very lazy about loading them manually. The best option is sudo su - oracle. You can lock that down in the sudoers config and you can lock the su permissions to the wheel group via the local configuration files in /etc/security or via the pam module. either way you need to add in configuration file managment, which is not what freeipa is for. On Jul 17, 2012 12:34 AM, "Erinn Looney-Triggs" < erinn.looneytri...@gmail.com> wrote:
> On 07/16/2012 01:47 PM, Steven Jones wrote: > > Hi, > > > > OK, so to confirm this cant be done in a centralised way via IPA? > > > > In which case when setting a HBAC with sshd only why cant i su - oracle > but I can su - root? > > > > regards > > > > Steven Jones > > > > Technical Specialist - Linux RHCE > > > > Victoria University, Wellington, NZ > > > > 0064 4 463 6272 > > > > ________________________________________ > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] > on behalf of Erinn Looney-Triggs [erinn.looneytri...@gmail.com] > > Sent: Tuesday, 17 July 2012 9:38 a.m. > > To: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] stopping su - > > > > On 07/16/2012 01:32 PM, Steven Jones wrote: > >> I have craeted a sshd rule only for the HBAC, but I find a std user can > >> su - to root, is this correect behavior? > >> > >> How do I? or can I? stop this unless explicitly allowed? > >> > >> regards > >> > >> Steven Jones > >> > >> Technical Specialist - Linux RHCE > >> > >> Victoria University, Wellington, NZ > >> > >> 0064 4 463 6272 > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users@redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > > > > > > You need to control this via PAM. So for me I restrict su to only be > > allowed for members of the wheel group, from /etc/pam.d/su: > > > > auth required pam_wheel.so use_uid > > > > There are comments in the file that will get you where you want to go. > > > > -Erinn > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > I can't speak to whether it can or cannot be done centrally in any sort > of authoritative way, might be possible there are hbac setting for su > and I can't really answer your question about suing to oracle. > > -Erinn > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users