Written by J. Moellenkamp
on 
Reading time: 3 minutes
Solaris   English

Less known Solaris features: pfexec

One of my first tutorials was the tutorial about RBAC. In this new tutorial i want to come back to this topic. In the RBAC tutorial i used su to assume a different role. But Solaris offers an additional way to work with the privileges of a different role.
Before trying out the commands in this document you should familiarise yourself with the concepts and commands of RBAC in Solaris by reading the Role Based Access Control tutorial.

pfexec

You can use the RBAC features in two ways. On one side, you can create a role account and assign a rights profile to it. You can assume this role by using the su command. I assume you´ve read the RBAC tutorial so you should aware of terms like role/rights profiles.

[A Rights Profiles] is a collection of administrative capabilities that can be assigned to a role or to a user. A rights profile can consist of authorizations, of commands with security attributes, and of other rights profiles. Rights profiles offer a convenient way to group security attributes.

But you can directly assign a rights profile or more roles directly to a user account. You can log into your account and use it as a normal user. The pfexec is very important for the following tasks. As long as you don´t use the pfexec command, your ccommands are executed unaware of any assigned rights by the rights profiles. You have to prepend the pfexec to your command. This executes your command in the context of your assigned profile. The interesting point about pfexec. You don´t have to type in a password. You can think about it as a passwordless su or sudo

Using pfexec to delegate administration

Let’s assume, you are an user on your system and you have to share and unshare directories on a regular basis. Of course you can’t do this with your normal user privileges.

bash-3.2$ /usr/sbin/share /export/home/jmoekamp
Could not share: /export/home/jmoekamp: no permission

But you can add a profile with this rights to your user. Let´s check for a matching profile. We need the share command. Let´s do a quick check in the exec_attr:

# grep "share" /etc/security/exec_attr 
File System Management:suser:cmd:::/usr/sbin/dfshares:euid=0
File System Management:suser:cmd:::/usr/sbin/share:uid=0;gid=root
File System Management:suser:cmd:::/usr/sbin/shareall:uid=0;gid=root
File System Management:suser:cmd:::/usr/sbin/sharemgr:uid=0;gid=root
File System Management:suser:cmd:::/usr/sbin/unshare:uid=0;gid=root
File System Management:suser:cmd:::/usr/sbin/unshareall:uid=0;gid=root
[...]

So you have to assign the File System Management profile to an user, the user is able to exectue the configured commands with root privileges. So let´s assign this profile to the user jmoekamp:

bash-3.2$ su root
Password: 
# usermod -P'File System Management' jmoekamp
UX: usermod: jmoekamp is currently logged in, some changes may not take effect until next login.

You have to logout now and login again. Now we try again to export the filesystem again. But now we use pfexec. The pfexec command is used to execute other commands with the attributes specified by the user’s profiles.

$ pfexec /usr/sbin/share /export/home/jmoekamp
$ /usr/sbin/share
-               /export/home/jmoekamp   rw   ""

Et voila … you were able to share the directory.

Providing root privileges with pfexec

1But there is another interesting usecase for pfexec:

# usermod -P'Primary Administrator' jmoekamp
UX: usermod: jmoekamp is currently logged in, some changes may not take effect until next login.

When you look into /etc/security/exec_attr, you will find the following entry:

bash-3.2# cat /etc/security/exec_attr | grep "Primary"
Primary Administrator:suser:cmd:::*:uid=0;gid=0

So every command will be executed with the uid 0 and the gid 0. So you have essentially root privileges for anything you execute under the control of pfexec. Let´s try this. We execute the id -a twice.

$ id -a
uid=100(jmoekamp) gid=1(other) groups=1(other)
$ pfexec id -a
uid=0(root) gid=0(root) groups=1(other)

Without the pfexec you have the uid of your own user. When you execute the same command under the control of pfexec you see the uid and gid of the root user. Now it´s really simple to get a root bash shell on your system. Perhaps you are tired of typing in pfexec again and again:

$ pfexec bash
bash-3.2# id
uid=0(root) gid=0(root)

This is a cool feature out of several reasons. You don´t have to give the root password away, users with the primary Administrator execution profile can get a root shell for their work. To withdraw the root privilege, you just have to remove the primary administrator. No need to set a new root password.

Conclusion

pfexec is Solaris sudo. It has some advantages. At first pfexec is passwordless, so you have the already mentioned advantages of assigning and revoking privilieges. This command is called pfexec. You can log the the actions of the pfexec command with the Solaris Auditing. So pfexec is a really useful tool. By the way: The user you create in the installation GUI of OpenSolaris 2008.05 is automatically assigned to the Primary Administrator rights profile. Thus you can directly start to use pfexec.

Do you want to learn more?

man pages
docs.sun.com: pfexec(1) – execute a command in a profile Tutorials
c0t0d0s0.org: Less known Solaris features: RBAC and Privileges