I have a menu system setup for our operators to be able to perform some simple administrator tasks without needing to call a system admin. In this menu system they have the capability to start and stop databases by executing scripts. They are allowed to do this today because we have assigned the id of 0 to the account but we have been hit in a security audit because of this. So I'm having to set this back to some other normal id number. These scripts require the ability to be to su to the database user in order to be run, but I need them to not prompt for the database user password. How would I go about setting this up in sudo?

------------------------------
Jesse Hernandez
------------------------------

On Mon, Mar 22, 2021 at 06:24:10PM +0000, Jesse Hernandez via IBM Community wrote:
> I have a menu system setup for our operators to be able to perform
> some simple administrator tasks without needing to call a system
> admin. In this menu system they have the capability to start and
> stop databases by executing scripts. They are allowed to do this
> today because we have assigned the id of 0 to the account but we
> have been hit in a security audit because of this. So I'm having to
> set this back to some other normal id number. These scripts require
> the ability to be to su to the database user in order to be run, but
> I need them to not prompt for the database user password. How would
> I go about setting this up in sudo?

Please consider whether AIX's Role Based Access Control (RBAC) could
be extended to cover your custom commands. It's supported software,
and sudo is not.

Alternatively consider using localhost locked SSH keys to allow you to
run commands as other users.

Finally, use sudo but consider purchasing a support contract from it's
author.


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/22/2021 10:31:00 AM
From: Jesse Hernandez
Subject: su to another user without password

I have a menu system setup for our operators to be able to perform some simple administrator tasks without needing to call a system admin. In this menu system they have the capability to start and stop databases by executing scripts. They are allowed to do this today because we have assigned the id of 0 to the account but we have been hit in a security audit because of this. So I'm having to set this back to some other normal id number. These scripts require the ability to be to su to the database user in order to be run, but I need them to not prompt for the database user password. How would I go about setting this up in sudo?

------------------------------
Jesse Hernandez
------------------------------