Less known Solaris 11.1 features: pfedit
It’s a really nifty feature: Let’s assume, you have a config file in your system and you want to allow your junior fellow admin to edit it from time to time, but don’t want him to pass any further rights to him, because this machine is too important.
Solaris 11.1 has an interesting feature to delegate the privilege to edit just a file. The tool enabling this is called pfedit
.
We want to enable a user to edit the httpd configuration, so we have to create a profile for for that task:
Okay, now we assign this profile to the user junior
Okay, when the user is login into the system and he or she is executing profiles
you will see the profile “http edit”.
So let’s edit the file. Start the vi.
Damned. You can open that file, but you can’t save it. Well. Not so fast. You have to use the command pfedit
to use the new won authorisation.
The update is done atomically. At first pfedit
makes a copy of the file, then you edit the the copy, and when the copy has changed, you will get a new file at the original place.
As there are as many preferences for an editors as there are editors, you can define the editor by setting the environments EDITOR
or VISUAL
(the later beats the first).
Okay, now the new admin want to edit the mime.types
file.
Well, no authorisation to do this. We have to add that. So open a shell as root.
And now the junior
can edit this file as well.
Do you want to learn more?
man page: pfedit(1m) - per-file authorized edit of administrative files