Jump to content
Sign in to follow this  
slimdog360

pfexec command

Recommended Posts

I'm on opensolaris and every wiki/blog/whatever that says how to do something have a 'pfexec' command before practically every line. I read the man page for it and all I could understand was that it lets you use the privileges assigned to your profile. I was of the thinking that one would already have access to these privileges without doing anything special. Also, if it does give you greater privileges, why not just use root?

 

I know there must be more to this command since I see it everywhere, and I'm curious to find out what that something more is. I know there are a couple of Solaris gurus around the forums so I'm sure somebody can help me out.

 

Thanks

 

edit: okay, after a bit of mucking around, it seems as though the command gives you root privileges without entering the root password. Should this be happening? Isn't it a bad thing security wise?

Share this post


Link to post
Share on other sites

In Solaris, when a user runs the su command to assume a role, a profile shell is invoked. It is a hardlink to the normal shell, eg bash, but allows for checking which privleges are assigned to that role. The standard shells are not aware of the additional rights and privleges, and can not be used as profile shells. Before any command is executed, the profile shell checks the role’s profile and commands associated with this profile. pfexec executes a command with the attributes and previleges specified. The concept of greater privoöeges comes from RBAC, don't think of it as more power, but about properly and securly separating the power that is already there.

Share this post


Link to post
Share on other sites

In Solaris, when a user runs the su command to assume a role, a profile shell is invoked. It is a hardlink to the normal shell, eg bash, but allows for checking which privleges are assigned to that role. The standard shells are not aware of the additional rights and privleges, and can not be used as profile shells. Before any command is executed, the profile shell checks the role’s profile and commands associated with this profile. pfexec executes a command with the attributes and previleges specified. The concept of greater privoöeges comes from RBAC, don't think of it as more power, but about properly and securly separating the power that is already there.

I don't know about you guys but I just got moist.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×