Linux‎ > ‎

Config Solaris pfexec as sudo on Linux

Thank you for visiting this page, this page has been update in another link lsblk command examples


On Solaris, you can use the RBAC features in two ways.
One is to create a role account and assign a rights profile to it. You can assume this role by using the su command.
The other is to assign a rights profile or more roles directly to a user account. You can log into your account and use it as a normal user, very much like sudo
The pfexec program is used  to  execute  commands  with  the attributes   specified   by   the  user's  profiles  in  the
 exec_attr(4)
I split this into two steps in examples

Using pfexec to delegate administration

By default, there are several defined profiles in RBAC system on Solaris, you can check /etc/security/exec_attr and /etc/security/prof_attr. To assign a profile to a user, for example, assign 'Primary Administrator' profile to user 'John'
# usermod -P'Primary Administrator'  John
UX: usermod: John is currently logged in, some changes may not take effect until next login.
     
What can John do after in next login sessions? check /etc/security/exec_attr, you will find the following entry:
   

# cat /etc/security/exec_attr | grep "Primary Administrator"
Primary Administrator:suser:cmd:::*:uid=0;gid=0
In this way, John has been assigned root privilieges to the system under the control oof pfexec
     

$ id -a
uid=502(John) gid=502(other)
$ pfexec id -a
uid=0(root) gid=0(root) groups=1(other)

Want do everything as root without pfexec? try this
$ pfexec bash
# id
uid=0(root) gid=0(root)

 To withdraw the root privilege, you just have to remove the primary administrator. No need to set a new root password.

Compare with sudo, the door seems to wide.

Make pfexec work like sudo

First, you need to create a rights profile in RBAC system on Solaris. You can either manually edit the attr files, or use /usr/sadm/bin/smexec to do it.
In example below, I want to create a profile can ru explorer to collect system information.
Add one line to /etc/security/exec_attr
log collection:suser:cmd:::/opt/SUNWexplo/bin/explorer:uid=0

Add one line to /etc/security/prof_attr

log collection:::log collection:auths=solaris.smf.manage.system-log,solaris.label.range,\
solaris.admin.logsvc.write,solaris.admin.logsvc.read,solaris.compsys.write,solaris.compsys.read

Second, assign the profile to user John
usermod -P'log collection'  John

then, login as John, run explorer under pfexec
run as normal mode

 $ /opt/SUNWexplo/bin/explorer
Jan 04 23:35:46 testnode[27965] explorer: FATAL exited: Must be run as root

Under pfexec
$ pfexec /opt/SUNWexplo/bin/explorer

ATTENTION: Are you using Sun Explorer Data Collector to help in the resolution
of an issue on a Sun product? In some cases, remote collaboration tools such
as Sun's Shared Shell can accelerate issue resolution.  Ask your Service
representative about Shared Shell or visit http://www.sun.com/sharedshell.
It's secure, safe, and easy to use.
...


   

Comments