On Solaris, you can use the RBAC features in two ways.
One is to create a role account and assign a rights profile to it. You can assume this role by using the su command.
The other is to assign a rights profile or more roles directly to a user account. You can log into your account and use it as a normal user, very much like sudo
The pfexec program is used to execute commands with the attributes specified by the user's profiles in the exec_attr(4)
I split this into two steps in examples
Step1: Using pfexec to delegate administration
By default, there are several defined profiles in RBAC system on Solaris, you can check /etc/security/exec_attr and /etc/security/prof_attr. To assign a profile to a user, for example, assign 'Primary Administrator' profile to user 'John'
# usermod -P'Primary Administrator' John
UX: usermod: John is currently logged in, some changes may not take effect until next login.
What can John do after in next login sessions? check /etc/security/exec_attr, you will find the following entry:
# cat /etc/security/exec_attr | grep "Primary Administrator"
In this way, John has been assigned root privilieges to the system under the control oof pfexec
$ id -a
$ pfexec id -a
uid=0(root) gid=0(root) groups=1(other)
Want do everything as root without pfexec? try this
$ pfexec bash
To withdraw the root privilege, you just have to remove the primary administrator. No need to set a new root password.
Compare with sudo, the door seems to wide.
Make pfexec work like sudo
First, you need to create a rights profile in RBAC system on Solaris. You can either manually edit the attr files, or use /usr/sadm/bin/smexec to do it.
In example below, I want to create a profile can ru explorer to collect system information.
Add one line to /etc/security/exec_attr
Add one line to /etc/security/prof_attr
log collection:::log collection:auths=solaris.smf.manage.system-log,solaris.label.range,\
Second, assign the profile to user John
usermod -P'log collection' John
then, login as John, run explorer under pfexec
run as normal mode
Jan 04 23:35:46 testnode explorer: FATAL exited: Must be run as root
$ pfexec /opt/SUNWexplo/bin/explorer