On Solaris, you can use the RBAC features in two ways.
One is to create a role account and assign a rights profile to it. You can assume this role by using the su command.
The other is to assign a rights profile or more roles directly to a user account. You can log into your account and use it as a normal user, very much like sudo
The pfexec program is used  to  execute  commands  with  the attributes   specified   by   the  user's  profiles  in  the exec_attr(4)

I split this into two steps in examples

Step1: Using pfexec to delegate administration

By default, there are several defined profiles in RBAC system on Solaris, you can check /etc/security/exec_attr and /etc/security/prof_attr. To assign a profile to a user, for example, assign 'Primary Administrator' profile to user 'John'

# usermod -P'Primary Administrator'  John
UX: usermod: John is currently logged in, some changes may not take effect until next login.

What can John do after in next login sessions? check /etc/security/exec_attr, you will find the following entry:

# cat /etc/security/exec_attr | grep "Primary Administrator"
Primary Administrator:suser:cmd:::*:uid=0;gid=0

In this way, John has been assigned root privilieges to the system under the control oof pfexec

$ id -a
uid=502(John) gid=502(other)
$ pfexec id -a
uid=0(root) gid=0(root) groups=1(other)

Want do everything as root without pfexec? try this
$ pfexec bash
# id
uid=0(root) gid=0(root)

To withdraw the root privilege, you just have to remove the primary administrator. No need to set a new root password.

Compare with sudo, the door seems to wide.

Make pfexec work like sudo

First, you need to create a rights profile in RBAC system on Solaris. You can either manually edit the attr files, or use /usr/sadm/bin/smexec to do it.
In example below, I want to create a profile can ru explorer to collect system information.
Add one line to /etc/security/exec_attr

log collection:suser:cmd:::/opt/SUNWexplo/bin/explorer:uid=0

Add one line to /etc/security/prof_attr

log collection:::log collection:auths=solaris.smf.manage.system-log,solaris.label.range,\

Second, assign the profile to user John

usermod -P'log collection'  John

then, login as John, run explorer under pfexec
run as normal mode

$ /opt/SUNWexplo/bin/explorer
Jan 04 23:35:46 testnode[27965] explorer: FATAL exited: Must be run as root

Under pfexec

$ pfexec /opt/SUNWexplo/bin/explorer


Comments powered by CComment