EM 12c, 13c: What Sudo Permissions are required for Installing Agent using Deployment Method with A Locked User Account (Doc ID 1489270.1)

Last updated on DECEMBER 22, 2016

Applies to:

Enterprise Manager Base Platform - Version 12.1.0.1.0 and later
Information in this document applies to any platform.

Goal

Deploying the Enterprise Manager Agent using locked account privilege delegation has the following prerequisite requirements:

EM 12c:   http://docs.oracle.com/cd/E24628_01/install.121/e22624/install_agent.htm#BABCFEGE
E
M 13c:   http://docs.oracle.com/cd/E63000_01/EMBSC/install_agent_new.htm#CHDJJDEH

SUDO/PBRUN Requirements (Only for UNIX)
    Ensure that the installing user has SUDO/PBRUN privileges to invoke /bin/sh AS ROOT.
    Ensure that you have the following line in the /etc/sudoers file. This is required to allow remote command execution using sudo.
        Defaults visiblepw
    Ensure that you comment out the following line in the /etc/sudoers file:
        Defaults requiretty

Locked Account Requirements
      Ensure that the locked account user (oracle) has read permission on the home directory of the login user.

and

Set the oracle.sysman.prov.agentpush.pdpShellOutEnabled parameter to false in the .../Middleware/oms/sysman/prov/agentpush/agentpush.properties file, if sudo is configured for the locked out user

 

The first security requirement to allow named users to be able to run "sudo /bin/sh [script_name]" might be considered a potentially unacceptable security hole.

Alternatively, specify the commands to be executed by the locked account user with the sudo privilege for doing agent deployment.

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms