In order to use privilege delegation, specific sudo rules have to be defined. This rule normally already exists:<\/p>\n
\r\nmdecker ALL=(root) NOPASSWD:\/bin\/su - oracle\r\n<\/pre>\nIn addition to this one, two additional rules are required. If only sudo to “oracle” is required, then only the first line is needed.<\/p>\n
\r\nmdecker ALL=(oracle) SETENV:\/u01\/app\/oracle\/cloud\/agent\/sbin\/nmosudo *\r\nmdecker ALL=(root) SETENV:\/u01\/app\/oracle\/cloud\/agent\/sbin\/nmosudo *\r\n<\/pre>\n
Go to Setup -> Security -> Privilege Delegation.
\n![\"\"](\"http:\/\/www.ora-solutions.net\/web\/wp-content\/uploads\/2017\/09\/Screen-Shot-2017-09-13-at-21.44.55.png\")
\nThen you can either set it globally via template or individually for each host. This depends mainly on the path to “sudo” binary in the operating system. Then you choose “sudo” and provide the path to the sudo binary on your operating system (bash$ which sudo). The required parameters are then appended: \/usr\/bin\/sudo -E -u %RUNAS% %COMMAND%<\/p>\n
![\"\"](\"http:\/\/www.ora-solutions.net\/web\/wp-content\/uploads\/2017\/09\/Screen-Shot-2017-09-13-at-21.47.41.png\")
<\/p>\n
If you are in a team of administrators, then each administrator should have his own account to log on to Cloud Contol and avoid using “sysman” user. For obvious reasons, each administrator has to create his own “named credential” (Setup->Security->Named Credential), because it contains his personalized username and password.<\/p>\n
![\"\"](\"http:\/\/www.ora-solutions.net\/web\/wp-content\/uploads\/2017\/09\/Screen-Shot-2017-09-13-at-21.56.20.png\")
<\/p>\n
Here you provide your personalized credentials (username\/password) and specify that sudo should be used to change to “oracle”. <\/p>\n
Go to “Targets” -> “Host” and click “Run Host Command”. Then give the command to run, e.g. “id -a”, and then add a named credential as well as a specific host and click “Run”.
\n![\"\"](\"http:\/\/www.ora-solutions.net\/web\/wp-content\/uploads\/2017\/09\/Screen-Shot-2017-09-13-at-22.03.16.png\")
\nIf all is well, then you will get this output showing you the id of user oracle.
\n![\"\"](\"http:\/\/www.ora-solutions.net\/web\/wp-content\/uploads\/2017\/09\/Screen-Shot-2017-09-13-at-22.04.07.png\")
\n<\/ol>\n
How does this work behind the scenes? The agent java process spawns a process “nmo”. This process was granted SETUID root Privileges by executing $ORACLE_HOME\/root.sh at the time of agent deployment. This executable is calling “sudo” to run command “nmosudo” as user oracle with the “payload” command, which the user wanted to execute. <\/p>\n
\r\nroot 14595 3149 0 14:23 pts\/0 00:00:00 \/u01\/app\/oracle\/cloud\/agent\/sbin\/nmo\r\nroot 14598 14595 0 14:23 pts\/1 00:00:00 \/usr\/bin\/sudo -p ###AGENT-PDP-PASSWORD-PROMPT### -E -u oracle \/u01\/app\/oracle\/cloud\/agent\/sbin\/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION \/bin\/sh -c id -a\r\noracle 14602 14598 0 14:23 pts\/1 00:00:00 sleep 300\r\n<\/pre>\nThe linux logfile \/var\/log\/secure will contain this messages. It can be seen that the personal user “mdecker” was running the command “nmosudo” with the payload command “id -a” as attribute.<\/p>\n
\r\nSep 13 22:03:59 xxx sudo: mdecker : TTY=pts\/2 ; PWD=\/u01\/app\/oracle\/cloud\/agent\/agent_inst\/sysman\/emd ; USER=oracle ; COMMAND=\/u01\/app\/oracle\/cloud\/agent\/sbin\/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION \/bin\/sh -c id -a\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"Quite frequently in database environments, security policies dictate that only personalized logons to Unix \/ Linux are allowed and that from there, one has to “sudo” to change to the oracle account. While this adds an additional layer of security, it makes administration a little more complicated. Oracle Enterprise Manager – Cloud Control has a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6,1],"tags":[],"class_list":["post-1454","post","type-post","status-publish","format-standard","hentry","category-oracle-enterprise-manager","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/posts\/1454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/comments?post=1454"}],"version-history":[{"count":17,"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/posts\/1454\/revisions"}],"predecessor-version":[{"id":1477,"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/posts\/1454\/revisions\/1477"}],"wp:attachment":[{"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/media?parent=1454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/categories?post=1454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ora-solutions.net\/web\/wp-json\/wp\/v2\/tags?post=1454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}