My Oracle Support Banner

EM 13c: What Sudo Permissions are required for Installing Agent using Deployment Method with A Locked User Account (Doc ID 1489270.1)

Last updated on NOVEMBER 24, 2021

Applies to:

Enterprise Manager Base Platform - Version 13.1.0.0.0 and later
Information in this document applies to any platform.

Goal

Deploying the Enterprise Manager Agent using locked account privilege delegation has the following prerequisite requirements:

EM 13c:  https://docs.oracle.com/en/enterprise-manager/cloud-control/enterprise-manager-cloud-control/13.5/embsc/installing-oracle-management-agents.html#GUID-707CAE59-AD17-4E8C-8C0E-7B9B2D3FFE70

SUDO/PBRUN Requirements (Only for UNIX)
    Ensure that the installing user has SUDO/PBRUN privileges to invoke /bin/sh AS ROOT.
    Ensure that you have the following line in the /etc/sudoers file. This is required to allow remote command execution using sudo.
        Defaults visiblepw
    Ensure that you comment out the following line in the /etc/sudoers file:
        Defaults requiretty

Locked Account Requirements
      Ensure that the locked account user (oracle) has read permission on the home directory of the login user.

and

Set the oracle.sysman.prov.agentpush.pdpShellOutEnabled parameter to false in the <OMS_HOME>/sysman/prov/agentpush/agentpush.properties file, if sudo is configured for the locked out user

 

The first security requirement to allow named users to be able to run "sudo /bin/sh [script_name]" might be considered a potentially unacceptable security hole.

Alternatively, specify the commands to be executed by the locked account user with the sudo privilege for doing agent deployment.

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.