Re: Question regarding sudo equivalents

From: John Mchugh <john.mchugh_at_oracle.com>
Date: Mon, 13 Jun 2016 17:16:06 -0700
Message-Id: <9455D201-E8EF-45C6-BA42-CE636DE5BD58_at_oracle.com>



Interesting thread....along the lines of automated provisioning where the database and grid infrastructure require root execution for root.sh and orainstRoot.sh what do most of you use? Or is it acceptable to run the provisioning scripts as root and ‘su' to the specific oracle user to run the installation? By automation I mean no human intervention at all for provisioning purposes.

thanks,
jpm

On Jun 13, 2016, at 5:04 PM, William Muriithi <william.muriithi_at_gmail.com> wrote:

> Evening Pete,
> >
> > If you need secured access to root (i.e. sudo-like functionality) what are you using to get that access? The reason I’m asking is because I was on a call with a customer this morning and they said sudo was old hat and no-one in their industry uses it any more. Now that’s the first I’ve heard of that, as just about every customer I’ve dealt with apart from this particular customer is using sudo quite happily. I occasionally run across PowerBroker, but that’s about it. I’d be interested to find what people are using, particularly since Enterprise Manager supports sudo or PowerBroker to get this functionality, and if people are moving away from that we need to look at broadening what we support in the product.
> >
> >
> >
> That's interesting. First time I have heard that the industry is moving away from sudo, so I did a bit of digging and feel like that's not true. If there were more popular tools, they would be supported by puppet and ansible.
>
> Below are the privilege escalation methods offered by ansible.
>
> (default=sudo), valid choices: [ sudo | su | pbrun | pfexec | doas | dzdo
>
> The above is ansible supported methods. Other than pbrun, the rest are platform specific and not in wide use from the basic 10 min google research. I could be wrong though.
>
> What platform is your client using? Will bet it may be Solaris and they therefore using pfexec. Anyway, think it's better to still use sudo for the following reason.
>
> With sudo and freeipa, you can push sudo configuration across the data centre, like the way you can push GPO from active directory. Ah, and also prefer a product supported by operating system by default. Far secure that way.
>
> Regards
>
> William
>

--
http://www.freelists.org/webpage/oracle-l
Received on Tue Jun 14 2016 - 02:16:06 CEST

Original text of this message