Less known Solaris features: pfedit - editing is not everything

You have allowed junior to edit the httpd.conf and you are capable to monitor the changes with pfedit. However there is a little problem. She or he can’t restart the apache demon to make the new config active. When junior tries to restart , he or she just gets:

junior@template:~$ svcadm refresh apache22
svcadm: svc:/network/http:apache22: Permission denied.

Of course you don’t want to restart the service every time junior changes the the config yourself. On the other side you don’t want to give junior the root privileges. So what can you do?
Long time reader of this blog will know what you have to do now: You can work with authorisations to delegate the permission to refresh the service. I have explained that a long time ago in “Less known Solaris features: RBAC and Privileges - Part 2: Role based access control”. So I will go shortly through the steps just in a condensed manner: Okay, we will use the service svc:/network/http:apache22 for this example:

# svcs -a | grep "apache22"
online         15:30:29 svc:/network/http:apache22

At first, i will create two authorisations. One is planed to be used to do actions (like restarting or refreshing a service), one is for changing the status of the service (like enabling or disabling it).

# auths add -t "Apache22 value" \ 
# auths add -t "Apache22 action" \

Now i will assign them to the svc:/network/http:apache22 service:

# svccfg -s apache22 \
setprop general/value_authorization= astring: solaris.smf.value.http.apache22
# svccfg -s apache22 \
setprop general/action_authorization= astring: solaris.smf.action.http.apache22

All i have to do now, is to assign this authorisation to the profile “http edit” i have create in earlier tutorials.

# profiles -p "httpd edit" \
add auths=solaris.smf.action.http.apache22

Let’s check it again.

junior@template:~$ svcadm refresh apache22

junior is now allowed to restart the service