Jump to content


Photo

pfexec command


  • Please log in to reply
3 replies to this topic

#1 slimdog360

slimdog360

    Primarch

  • Atomican
  • 1,515 posts

Posted 12 September 2008 - 05:09 PM

I'm on opensolaris and every wiki/blog/whatever that says how to do something have a 'pfexec' command before practically every line. I read the man page for it and all I could understand was that it lets you use the privileges assigned to your profile. I was of the thinking that one would already have access to these privileges without doing anything special. Also, if it does give you greater privileges, why not just use root? I know there must be more to this command since I see it everywhere, and I'm curious to find out what that something more is. I know there are a couple of Solaris gurus around the forums so I'm sure somebody can help me out. Thanks edit: okay, after a bit of mucking around, it seems as though the command gives you root privileges without entering the root password. Should this be happening? Isn't it a bad thing security wise?

I for one welcome our new chicken overlord.


#2 TheSecret

TheSecret

    Champion

  • Banned
  • 6,301 posts

Posted 12 September 2008 - 07:01 PM

In Solaris, when a user runs the su command to assume a role, a profile shell is invoked. It is a hardlink to the normal shell, eg bash, but allows for checking which privleges are assigned to that role. The standard shells are not aware of the additional rights and privleges, and can not be used as profile shells. Before any command is executed, the profile shell checks the role’s profile and commands associated with this profile. pfexec executes a command with the attributes and previleges specified. The concept of greater privoöeges comes from RBAC, don't think of it as more power, but about properly and securly separating the power that is already there.
The most difficult subjects can be explained to the most slow-witted man if he has not formed any idea of them already; but the simplest thing cannot be made clear to the most intelligent man if he is firmly persuaded that he knows already, without a shadow of doubt, what is laid before him. - Tolstoy

#3 lew~

lew~

    Champion

  • Atomican
  • 7,913 posts

Posted 12 September 2008 - 07:21 PM

In Solaris, when a user runs the su command to assume a role, a profile shell is invoked. It is a hardlink to the normal shell, eg bash, but allows for checking which privleges are assigned to that role. The standard shells are not aware of the additional rights and privleges, and can not be used as profile shells. Before any command is executed, the profile shell checks the role’s profile and commands associated with this profile. pfexec executes a command with the attributes and previleges specified. The concept of greater privoöeges comes from RBAC, don't think of it as more power, but about properly and securly separating the power that is already there.

I don't know about you guys but I just got moist.

#4 slimdog360

slimdog360

    Primarch

  • Atomican
  • 1,515 posts

Posted 12 September 2008 - 07:47 PM

ahh, thanks. I think I understand it a bit better now.

I for one welcome our new chicken overlord.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users