Less known Solaris features: pfedit - editing is not everything
You have allowed junior
to edit the httpd.conf and you are capable to monitor the changes with pfedit
. However there is a little problem. She or he can’t restart the apache demon to make the new config active. When junior
tries to restart , he or she just gets:
Of course you don’t want to restart the service every time junior
changes the the config yourself. On the other side you don’t want to give junior
the root privileges. So what can you do?
Long time reader of this blog will know what you have to do now: You can work with authorisations to delegate the permission to refresh the service. I have explained that a long time ago in “Less known Solaris features: RBAC and Privileges - Part 2: Role based access control”.
So I will go shortly through the steps just in a condensed manner:
Okay, we will use the service svc:/network/http:apache22
for this example:
At first, i will create two authorisations. One is planed to be used to do actions (like restarting or refreshing a service), one is for changing the status of the service (like enabling or disabling it).
Now i will assign them to the svc:/network/http:apache22 service
:
All i have to do now, is to assign this authorisation to the profile “http edit” i have create in earlier tutorials.
Let’s check it again.
junior
is now allowed to restart the service