So I got several AIX boxes hosting Oracle EBS. Since the company that I work for is obliged to follow SOX 404 standard, and that means no root password sharing for each administrators. Hence, I need to create a user for each administrators, and grant them a root equivalent right.
One approach to do this on Linux (and HP-UX) box is by changing each administrator account UID number to 0, essentially making all login from those account to be forwarded to root. The problem with this approach is that those account will use all config and history or log files of the root account. For example, when you look at .history file, you won’t be able to tell which user perform what, since all activity from each account will be recorded as if it was performed by root.
What I can do is to use sudo, that will allow you to delegate root access to certain user or group of user. Here is a little how to on installing sudo.
- Get the source here , as of the time of writing the current stable one is 1.7.2p1
- Since You will need to compile sudo from the source, make sure the C compiler is installed, and can be called. You can purchase a license for C compiler from IBM, or you can always use the good old GCC. To check, simply type “cc”.
if the output is similar to this :
# cc ksh: cc: not found.
Then either the C compiler is not installed, or simply that it is not on your path. In my case it was the later. “cc” from the xlC compiler was installed on “/usr/vac/bin”. So what you can do is either create a symlink of “cc” to “/usr/sbin” or “/sbin”, or to add “/usr/vac/bin” to your path. To temporarily ad “/usr/vac/bin” to your path, type the following :
# export PATH=$PATH:/usr/vac/bin
Test it by running “cc -qversion” if you’re running the xlC compiler, or “cc –version” if you are using GCC.
# cc -qversion IBM XL C/C++ Enterprise Edition for AIX, V9.0 Version: 09.00.0000.0000
- Untar the source, and then compile.
# gunzip sudo-1.7.2p1.tar.gz # tar xvf sudo-1.7.2p1.tar # cd sudo-1.7.2p1 # ./configure # make # make install
The steps above should install sudo executables, sudo in /usr/local/bin and visudo in /usr/local/sbin. I believe that both directories are not on your $PATH. for ease of use, create a symlink for both of the executables :
# ln -s /usr/local/bin/sudo /usr/bin/sudo # ln -s /usr/local/sbin/visudo /usr/sbin/visudo
You can also download the RPM package here, and use RPM to install sudo, by doing:
# rpm -ivh sudo-1.6.9p23-2noldap.aix5.3.ppc.rpm
- I assume that all account that will be used by administrator team has already been created. The correct way of creating user account is by using “smit user”. Put all administrators account in one group, in my case “wheel”. To do this, use “smit group”
# smit group
Go to “Add a Group”, put “wheel” on Group Name. Go to USER List and press F4 or Escape+4 to get the list of available user. Mark each administrator accounts with F7 or Escape+7. If you’re done, press Enter
- Find and edit the /etc/sudoers configuration using visudo
uncomment the following line :
%wheel ALL=(ALL) ALL
Save. Log out from the root account.
We’re done 🙂 To use sudo, simply login as your non-root account, and do “sudo command-name”. For example, to create a folder /opt/sources using sudo, type :
$ sudo mkdir /opt/sources
I’ve written a bit more on how to use sudo. Do check it out.