Making pfexec work like sudo under Solaris
Using my course notes, I've created this document as an exmple. And for this example I'll will create a profile for user 'martinch' to run the Sun's data collection utility (aka explorer).
Create RBAC profile
We need to create a rights profile in the RBAC system under Solaris.
- Add one line to /etc/security/exec_attr
- Add one line to /etc/security/prof_attr
log collection:::log collection:auths=solaris.smf.manage.system-log,solaris.label.range,\
Assign profile to user
We now need to assign the profile to the user using the usermod command, for example:
# usermod -P'log collection' martinch
NOTE: If user 'martinch' is logged in, simply logout, and login again then the user will have access to the RBAC profile. (I haven't found a way of dynamically assigning to an active user, but it takes seconds to login/login again).
Testing new profile
Once logged back in, we can test running the explorer without and with the RBAC profile to confirm the results that it works.
- run under normal user
Jun 01 13:53:21 smurf explorer: FATAL exited: Must be run as root
- Using pfexec
$ pfexec /opt/SUNWexplo/bin/explorer
ATTENTION: Are you using Sun Explorer Data Collector to help in the resolution
of an issue on a Sun product? In some cases, remote collaboration tools such
as Sun's Shared Shell can accelerate issue resolution. Ask your Service
representative about Shared Shell or visit http://www.sun.com/sharedshell.
It's secure, safe, and easy to use.