Less known Solaris features: pfexec
One of my first tutorials was the tutorial about RBAC. In this new tutorial i want to come back to this topic. In the RBAC tutorial i used su
to assume a different role. But Solaris offers an additional way to work with the privileges of a different role.
Before trying out the commands in this document you should familiarise yourself with the concepts and commands of RBAC in Solaris by reading the Role Based Access Control tutorial.
pfexec
You can use the RBAC features in two ways. On one side, you can create a role account and assign a rights profile to it. You can assume this role by using the su
command. I assume you´ve read the RBAC tutorial so you should aware of terms like role/rights profiles.
[A Rights Profiles] is a collection of administrative capabilities that can be assigned to a role or to a user. A rights profile can consist of authorizations, of commands with security attributes, and of other rights profiles. Rights profiles offer a convenient way to group security attributes.
But you can directly assign a rights profile or more roles directly to a user account. You can log into your account and use it as a normal user. The pfexec
is very important for the following tasks. As long as you don´t use the pfexec
command, your ccommands are executed unaware of any assigned rights by the rights profiles. You have to prepend the pfexec
to your command. This executes your command in the context of your assigned profile.
The interesting point about pfexec
. You don´t have to type in a password. You can think about it as a passwordless su
or sudo
Using pfexec to delegate administration
Let’s assume, you are an user on your system and you have to share and unshare directories on a regular basis. Of course you can’t do this with your normal user privileges.
But you can add a profile with this rights to your user. Let´s check for a matching profile. We need the share
command. Let´s do a quick check in the exec_attr
:
So you have to assign the File System Management
profile to an user, the user is able to exectue the configured commands with root privileges. So let´s assign this profile to the user jmoekamp
:
You have to logout now and login again. Now we try again to export the filesystem again. But now we use pfexec
. The pfexec
command is used to execute other commands with the attributes specified by the user’s profiles.
Et voila … you were able to share the directory.
Providing root privileges with pfexec
1But there is another interesting usecase for pfexec
:
When you look into /etc/security/exec_attr
, you will find the following entry:
So every command will be executed with the uid 0
and the gid 0
. So you have essentially root privileges for anything you execute under the control of pfexec
. Let´s try this. We execute the id -a
twice.
Without the pfexec
you have the uid of your own user. When you execute the same command under the control of pfexec
you see the uid
and gid
of the root user. Now it´s really simple to get a root bash shell on your system. Perhaps you are tired of typing in pfexec
again and again:
This is a cool feature out of several reasons. You don´t have to give the root password away, users with the primary Administrator
execution profile can get a root shell for their work. To withdraw the root privilege, you just have to remove the primary administrator
. No need to set a new root password.
Conclusion
pfexec
is Solaris sudo
. It has some advantages. At first pfexec is passwordless, so you have the already mentioned advantages of assigning and revoking privilieges. This command is called pfexec
. You can log the the actions of the pfexec
command with the Solaris Auditing. So pfexec
is a really useful tool.
By the way: The user you create in the installation GUI of OpenSolaris 2008.05 is automatically assigned to the Primary Administrator
rights profile. Thus you can directly start to use pfexec
.
Do you want to learn more?
man pages
docs.sun.com: pfexec(1) – execute a command in a profile
Tutorials
c0t0d0s0.org: Less known Solaris features: RBAC and Privileges