Written by J. Moellenkamp
on August 16, 2013
Reading time: 2 minutes
Security LKSF English Solaris

Less known Solaris 11.1 features: pfedit

It’s a really nifty feature: Let’s assume, you have a config file in your system and you want to allow your junior fellow admin to edit it from time to time, but don’t want him to pass any further rights to him, because this machine is too important. Solaris 11.1 has an interesting feature to delegate the privilege to edit just a file. The tool enabling this is called pfedit. We want to enable a user to edit the httpd configuration, so we have to create a profile for for that task:

root@template:/etc/apache2/2.2# profiles -p "httpd edit"
profiles:httpd edit> set auths=solaris.admin.edit/etc/apache2/2.2/httpd.conf
profiles:httpd edit> set desc="Edit httpd"
profiles:httpd edit> exit

Okay, now we assign this profile to the user junior

root@template:/etc/apache2/2.2# usermod -P +"httpd edit" junior

Okay, when the user is login into the system and he or she is executing profiles you will see the profile “http edit”.

junior@template:~$ profiles
          httpd edit
          Basic Solaris User
          All

So let’s edit the file. Start the vi.

junior@template:~$ vi /etc/apache2/2.2/httpd.conf

Damned. You can open that file, but you can’t save it. Well. Not so fast. You have to use the command pfedit to use the new won authorisation.

junior@template:~$ pfedit /etc/apache2/2.2/httpd.conf
pfedit: /etc/apache2/2.2/httpd.conf has been updated.

The update is done atomically. At first pfedit makes a copy of the file, then you edit the the copy, and when the copy has changed, you will get a new file at the original place.
As there are as many preferences for an editors as there are editors, you can define the editor by setting the environments EDITOR or VISUAL(the later beats the first).
Okay, now the new admin want to edit the mime.types file.

junior@template:~$ pfedit /etc/apache2/2.2/mime.types
pfedit: User junior is not authorized to edit the file /etc/apache2/2.2/mime.types.

Well, no authorisation to do this. We have to add that. So open a shell as root.

root@template:/etc/apache2/2.2# profiles -p "httpd edit"
profiles:httpd edit> info
	name=httpd edit
	desc=Edit httpd
	auths=solaris.admin.edit/etc/apache2/2.2/httpd.conf
profiles:httpd edit> add auths=solaris.admin.edit/etc/apache2/2.2/mime.types

And now the junior can edit this file as well.

junior@template:~$ pfedit /etc/apache2/2.2/mime.types
pfedit: no changes for /etc/apache2/2.2/mime.types.

Do you want to learn more?

man page: pfedit(1m) - per-file authorized edit of administrative files

← → Top