However, it was clear on my initial steps down those roads that I would encounter heavy resistance that would likely result in removing sudo altogether and allowing them direct access to the admin account again.ĭuring my search for using sudo this way I'd run across other posts making it clear I wasn't the only person that had wanted such a solution so I posted here and on LQ where I'd asked my question before figuring it out. for the individual users and working out how to let them use the application under their IDs. putting all the users in same group as admin user, modifying environment variables etc. Obviously other solutions could be done e.g. Since it does the sudo we still have an audit trail of who did what. In PuTTY we add the step sudo su - but that is only addition to procedure since the WinSCP sudo solution I posted puts them in as admin user for the transfers. If however, we could allow them to sudo with both PuTTY and WinSCP then the only change that is occurring is the need to login as themselves. Additionally the processed file is always owned by the administrative user due to the need to run the application command as that user. transfer to your home directory as WinSCP then login via PuTTY and copy the file, do the processing etc.). That was OK for PuTTY but it meant the WinSCP transfer was being done as the individual account instead of the administrative account. Accordingly, we setup individual account and sudo to allow them to "sudo su - " after they had logged in with those individual accounts. They would then go into WinSCP again and transfer the processed file back to their desktops.įor security reasons we didn't want them all using the same account directly as there is no way to tell who did what. They would then login to the account in a PuTTY window and run a command against the transferred file which would create a processed file. They would use WinSCP and that single account to transfer in a file. We have non-technical users that previously all logged in using a single shared account (the administrative account for a specific application). The reason is more political than technical.
0 Comments
Leave a Reply. |