Restricting logins on non-root accounts
Mike Bilow
mikebw at colossus.bilow.com
Mon May 8 17:46:44 EDT 2000
This is standard practice here. It should be done for all system users
("oracle," "postgres," "www-data," etc.) and is considered a good idea.
We do it by setting the account password to disabled. On a conventional
password system (not PAM), you can just set the password field (where the
password hash would normally be stored) to '*' or, alternatively, use
"passwd -l oracle" to guarantee that no password can match the hash.
Since root can su as any user without a password, you can then set up a
sudo rule that allows selected users to become "oracle."
-- Mike
On 2000-05-08 at 12:02 -0400, John Abreau wrote:
> I've gotten a request from our DBA to modify the oracle login account so
> that users cannot login to it and must use "su" to access it. Is this
> doable without a lot of pain? What are the common ways of accomplishing
> this?
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list