Making pfexec work like sudo under Solaris

Consulting in a mixed Solaris/RHEL/Wintel environment, I was asked about setting up sudo under Solaris to allow certain users (champions) access to the root user in order to perform some tasks that cannot be run as a normal user. While this in't impossible to setup, I thought I'd try out the new role based action control (RBAC) on the Solaris systems as an alternative to SUDO {Guess who's just completed an Advanced Solaris 10 SYstem Administration course} :-)

Using my course notes, I've created this document as an exmple. And for this example I'll will create a profile for user 'martinch' to run the Sun's data collection utility (aka explorer).

Create RBAC profile

We need to create a rights profile in the RBAC system under Solaris.

  1. Add one line to /etc/security/exec_attr
    log collection:suser:cmd:::/opt/SUNWexplo/bin/explorer:uid=0
  2. Add one line to /etc/security/prof_attr
    log collection:::log collection:auths=solaris.smf.manage.system-log,solaris.label.range,\
     solaris.admin.logsvc.write,solaris.admin.logsvc.read,solaris.compsys.write,solaris.compsys.read

Assign profile to user

We now need to assign the profile to the user using the usermod command, for example:

# usermod -P'log collection' martinch

NOTE: If user 'martinch' is logged in, simply logout, and login again then the user will have access to the RBAC profile. (I haven't found a way of dynamically assigning to an active user, but it takes seconds to login/login again).

Testing new profile

Once logged back in, we can test running the explorer without and with the RBAC profile to confirm the results that it works.

  • run under normal user
    $ /opt/SUNWexplo/bin/explorer
    Jun 01 13:53:21 smurf[80147] explorer: FATAL exited: Must be run as root
  • Using pfexec
    $ pfexec /opt/SUNWexplo/bin/explorer
    ATTENTION: Are you using Sun Explorer Data Collector to help in the resolution
    of an issue on a Sun product? In some cases, remote collaboration tools such
    as Sun's Shared Shell can accelerate issue resolution. Ask your Service
    representative about Shared Shell or visit http://www.sun.com/sharedshell.
    It's secure, safe, and easy to use.
    ...