Making pfexec work like sudo under Solaris

Consulting in a mixed Solaris/RHEL/Wintel environment, I was asked about setting up sudo under Solaris to allow certain users (champions) access to the root user in order to perform some tasks that cannot be run as a normal user. While this in't impossible to setup, I thought I'd try out the new role based action control (RBAC) on the Solaris systems as an alternative to SUDO {Guess who's just completed an Advanced Solaris 10 SYstem Administration course} :-)

Using my course notes, I've created this document as an exmple. And for this example I'll will create a profile for user 'martinch' to run the Sun's data collection utility (aka explorer).

Create RBAC profile

We need to create a rights profile in the RBAC system under Solaris.

  1. Add one line to /etc/security/exec_attr
    log collection:suser:cmd:::/opt/SUNWexplo/bin/explorer:uid=0
  2. Add one line to /etc/security/prof_attr
    log collection:::log collection:auths=solaris.smf.manage.system-log,solaris.label.range,\

Assign profile to user

We now need to assign the profile to the user using the usermod command, for example:

# usermod -P'log collection' martinch

NOTE: If user 'martinch' is logged in, simply logout, and login again then the user will have access to the RBAC profile. (I haven't found a way of dynamically assigning to an active user, but it takes seconds to login/login again).

Testing new profile

Once logged back in, we can test running the explorer without and with the RBAC profile to confirm the results that it works.

  • run under normal user
    $ /opt/SUNWexplo/bin/explorer
    Jun 01 13:53:21 smurf[80147] explorer: FATAL exited: Must be run as root
  • Using pfexec
    $ pfexec /opt/SUNWexplo/bin/explorer
    ATTENTION: Are you using Sun Explorer Data Collector to help in the resolution
    of an issue on a Sun product? In some cases, remote collaboration tools such
    as Sun's Shared Shell can accelerate issue resolution. Ask your Service
    representative about Shared Shell or visit
    It's secure, safe, and easy to use.