to audit activity, dont know but you can use something like this in that particular .profile:
Either you take of $$ and have a history per user or use $$ to have a session history, but that means maybe a lot of tidying up on very regular basis
The best way to handle this kind of situation is to implement SUDO or RBAC.
RBAC will need a considerable effort and study though i have not seen/worked on any RBAC implementations.
SUDO is the easiest of all and the logging can be customized and routed to a separate log file. sufficient restrictions can be built into the configurations too.
Providing a application account password to a multiple users is the most dangerous way of giving access. if one user is to be removed access then you would have to reset password and provide the new one to every other user.
Implementing these king of restrictions is easy with SUDO/RBAC.
Since the post is old, hope you might have found a way already.
RBAC will need a considerable effort and study
...
Implementing these king of restrictions is easy with SUDO/RBAC.
Aren't you self contradicting with both of these statements?
---------- Post updated at 11:03 ---------- Previous update was at 10:40 ----------
Quote:
Originally Posted by fretagi
There is an application installed on a server, that has a unique login account, but many users are using it with the same login name! How can we overcame this by creating individual accounts for the same application login account?
There are several ways to allow different Solaris users to run your application with the shared login account. However, there would be no simple way, if any, to sort out who did what using the application unless the application logs record a session id for each event.
In the worst case scenario, i.e. two users login in and lauching the application at the very same time, you won't be able to sort them out.
As for how to do it, RBAC and sudo have already be suggested, which one to pick will beyond other factors depend on what Solaris release you are using (10 or 11).
Can you describe what the users sees/does after the login? Are they locked in to the application or dropped to the command line?
If the application absolutely has to run as that user, then I'd be very tempted to set up individual accounts with a common group give them all a sudo privilege (by OS group) to allow them to all execute the specific command:-
I think you would add something like this with visudo:-
You can them script a simple startup script, a simple menu or force them all to run this at login so they are help within the application. Logging within the application is another matter though, but who am i will give you the real logged in user account. Don't be confused with whoami though. This may just give you the current process owner, in this case the application account.
Beware that sudo is not part of a standard Solaris 10 (and older) installation so it might not be available on your system. On the other hand, RBAC is standard so here is the RBAC way to implement a similar feature:
- add the following line to /etc/security/prof_attr
- these ones to /etc/user_attr
- and finally, that one to /etc/security/exec_attr
With these settings, both testuser1 and testuser2 will be able to run the "application" command as appl_id with this command:
These 2 Users Gave Thanks to jlliagre For This Post:
Hello... and thanks in advance for reading this or offering me any assistance
I'm trying to understand specific differences between the various login scripts... I understand the differences between interactive vs non-interactive and login vs non-login shells... and that's not where my question... (4 Replies)
Discussion started by: bodisha
4 Replies
2. Forum Support Area for Unregistered Users & Account Problems
I want to learn AIX. I would like to find someone who would be willing to give me a login to their AIX home lab server. My intent is to poke around and discover the similarities and differences of AIX compared to other *NIXs.
I am a UNIX admin so I can think of what some immediate concerns may... (1 Reply)
Hi there,
I am new to AIX environment, when I set up NIS Client for an AIX 5.3 Machine to connect to a Linux NIS Master, everything seems to be okie:
/etc/passwd: +::0:0:::
/etc/group: +:
ps -ef | egrep "ypbind": /usr/lib/netsvc/yp/ypbind -ypsetme -ypsetme
I can get all account... (0 Replies)
Hi All,
I was reading a tutorial for Installing Tomcat on Linux machine.
(http://www.puschitz.com/InstallingTomcat.html)
Here the author had mentioned that: For security reasons I created a user account with no login shell for running the Tomcat server.
My question is:
1. What is a User... (6 Replies)
Hi,
How to find remote Linux box login account without login in to that box?
I don't have login account at my remote Linux box. But I need who are all having login account. How do I findout?
Thanks,
--Muthu. (3 Replies)
Discussion started by: Muthuselvan
3 Replies
7. Post Here to Contact Site Administrators and Moderators
Moderator,
I had to create a new user acct because my old one does not work. It will not allow me to login because of permissions problems.
Can you please re-activate my old user id: gzs553
I think the email address for my old account is *****removed***** and once you reset my account,... (0 Replies)
How do you access a terminal and create a Unix user account. I am new to this form, so, is there a way to log on to a unix account that this forum offers to practice Unix. Is there a server available (somewhere) to users of this forum to access unix? So far the research I have found refers a person... (2 Replies)
Is there a way to easily change an account to be a non login account (NP in the shadow) file?
I know I can just edit the file but that is not what we want to do. We use access control software and want to provide a way to set an account to be non-login using simple commands that can be mapped... (0 Replies)
Hi Mentors,
I have a unix box HPC8000 HPUX 11.11 had just a problem loging in on CDE
using ordinary account.
The problem looks like this when an ordinary account will login to it will automatically closed and the login promtp will appear.
If the root will login no problem at all.
I tried... (0 Replies)