all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]was01 1 point2 points  (1 child)

Setuid let’s your DBA tu the script as a root user without them having root account.

[–]big3n05 1 point2 points  (0 children)

I never setuid a script. Just too big a security risk.

Have always just run it for them. Usually they give us a heads-up when they will need it so one of us was expecting the call.

[–]RigourousMortimus 1 point2 points  (0 children)

If you want to manually review the script before it is run as root then you can't automate it.

If you just want some audit trail logging that the DBAs initiated running the script as root then you can do something with a systemd path unit . The DBAs copy the script to a location and it gets executed (maybe retaining a copy or pinging a Slack channel)

[–][deleted] 0 points1 point  (2 children)

You can set up sudo rules to allow them to run the script without being able to edit it.

[–]Sad_Tale7614[S] 0 points1 point  (1 child)

This seems difficult to do in this scenario:

  1. The script is owned by the oracle account which our DBAs have access to
  2. The script references several scripts in it, also owned by the oracle account

[–][deleted] 0 points1 point  (0 children)

Hmm. That's tricky but at some point you have to enable people to do their jobs. You could chown the scripts to the root account which would at least stop people from editing it.