Less known Solaris features: pfedit - editing is not everything
You have allowed
junior to edit the httpd.conf and you are capable to monitor the changes with
pfedit. However there is a little problem. She or he can’t restart the apache demon to make the new config active. When
junior tries to restart , he or she just gets:
Of course you don’t want to restart the service every time
junior changes the the config yourself. On the other side you don’t want to give
junior the root privileges. So what can you do?
Long time reader of this blog will know what you have to do now: You can work with authorisations to delegate the permission to refresh the service. I have explained that a long time ago in “Less known Solaris features: RBAC and Privileges - Part 2: Role based access control”. So I will go shortly through the steps just in a condensed manner: Okay, we will use the service
svc:/network/http:apache22 for this example:
At first, i will create two authorisations. One is planed to be used to do actions (like restarting or refreshing a service), one is for changing the status of the service (like enabling or disabling it).
Now i will assign them to the
All i have to do now, is to assign this authorisation to the profile “http edit” i have create in earlier tutorials.
Let’s check it again.
junior is now allowed to restart the service