In AIX, we can restrict who can access a particular user
account using the SUGROUP parameter.
Background
Using the below example to explain.
We have normal user account ‘user1’.
We are going to create the admin account for ‘user1’,
this account is ‘admin1’.
We do not want to allow any NON-admin to access ‘admin1’, hence
we use SUGROUP to restrict. Here, I used ‘admingrp’ group since all admin are in
this group.
Not to worry if another DBA access ‘admin1’ since
/var/log/authlog would show who used that account. Below example log showed
someone using root accessing ‘user2’ account before using ‘admin1’.
devserver:/:>tail -2
/var/log/authlog
Feb 14 10:12:11 devserver
auth|security:notice su: from root to user2 at /dev/pts/0
Feb 14 10:12:15 devserver
auth|security:notice su: from user2 to admin1 at /dev/pts/0
Parameters and Procedure
The account creation via smitty in its entirety. Further
notes
-
Requirement is ‘admin1’ should be member of the
group ‘appgrp’ is in so that he can access files in appgrp.
-
Also ‘admin1’ needs to be member of staff group
to access ‘user1’ files.
-
Since this is a privilege account, we set the
following
o No
remote login (SSH, telnet, etc)
o No
local login (physical, console)
o Shorter account expiry
-
SU GROUP set to ‘admingrp’
If you want to user command line, which I don’t really
recommend unless you script.
devserver:/:>mkuser
"id=11705" "pgrp=appgrp" "groups=appgrp,staff"
"home=/home/admin1" "shell=/usr/bin/bash" "gecos=name name name" "login=false" "su=true" "rlogin=false"
"admin=false" "sugroups=admingrp" "maxage=5" admin1
devserver:/:>passwd admin1
devserver:/:>pwdadm -c admin1
Result
Remote login will fail.
me@server [~]
~$ssh admin1@devserver
admin1@devserver's
password:
Received disconnect from
10.10.50.10: 2: Remote login for account admin1 is not allowed.
Access to root will fail.
devserver:/:>su -user1
$ su - admin1
admin1's Password:
-bash-3.2$ su -
root's Password:
You are not allowed to su
to this account.
Cannot su to
"root" : Account is not accessible.
Non admin will not be able to access this account.
me@devserver [~]
~$su - admin1
admin1's Password:
You are not allowed to su
to this account.
Cannot su to
"admin1" : Account is not accessible.
Another admin can access this account.
devserver:/:>su - user2
$ su - admin1
admin1's Password:
-bash-3.2$ id
uid=11705(admin1)
gid=101(appgrp) groups=1(staff)
No comments:
Post a Comment