Less known Solaris features: pfexec
One of my first tutorials was the tutorial about RBAC. In this new tutorial i want to come back to this topic. In the RBAC tutorial i used
su to assume a different role. But Solaris offers an additional way to work with the privileges of a different role.
Before trying out the commands in this document you should familiarise yourself with the concepts and commands of RBAC in Solaris by reading the Role Based Access Control tutorial.
You can use the RBAC features in two ways. On one side, you can create a role account and assign a rights profile to it. You can assume this role by using the
su command. I assume you´ve read the RBAC tutorial so you should aware of terms like role/rights profiles.
[A Rights Profiles] is a collection of administrative capabilities that can be assigned to a role or to a user. A rights profile can consist of authorizations, of commands with security attributes, and of other rights profiles. Rights profiles offer a convenient way to group security attributes.
But you can directly assign a rights profile or more roles directly to a user account. You can log into your account and use it as a normal user. The
pfexec is very important for the following tasks. As long as you don´t use the
pfexec command, your ccommands are executed unaware of any assigned rights by the rights profiles. You have to prepend the
pfexec to your command. This executes your command in the context of your assigned profile.
The interesting point about
pfexec. You don´t have to type in a password. You can think about it as a passwordless
Using pfexec to delegate administration
Let’s assume, you are an user on your system and you have to share and unshare directories on a regular basis. Of course you can’t do this with your normal user privileges.
But you can add a profile with this rights to your user. Let´s check for a matching profile. We need the
share command. Let´s do a quick check in the
So you have to assign the
File System Management profile to an user, the user is able to exectue the configured commands with root privileges. So let´s assign this profile to the user
You have to logout now and login again. Now we try again to export the filesystem again. But now we use
pfexec command is used to execute other commands with the attributes specified by the user’s profiles.
Et voila … you were able to share the directory.
Providing root privileges with pfexec
1But there is another interesting usecase for
When you look into
/etc/security/exec_attr, you will find the following entry:
So every command will be executed with the
uid 0 and the
gid 0. So you have essentially root privileges for anything you execute under the control of
pfexec. Let´s try this. We execute the
id -a twice.
pfexec you have the uid of your own user. When you execute the same command under the control of
pfexec you see the
gid of the root user. Now it´s really simple to get a root bash shell on your system. Perhaps you are tired of typing in
pfexec again and again:
This is a cool feature out of several reasons. You don´t have to give the root password away, users with the
primary Administrator execution profile can get a root shell for their work. To withdraw the root privilege, you just have to remove the
primary administrator. No need to set a new root password.
pfexec is Solaris
sudo. It has some advantages. At first pfexec is passwordless, so you have the already mentioned advantages of assigning and revoking privilieges. This command is called
pfexec. You can log the the actions of the
pfexec command with the Solaris Auditing. So
pfexec is a really useful tool.
By the way: The user you create in the installation GUI of OpenSolaris 2008.05 is automatically assigned to the
Primary Administrator rights profile. Thus you can directly start to use