Thursday Dec 02, 2010


We here in Solaris land have expended a lot of energy in the past explaining pfexec. In the simplest case it was described as an alias for sudo (and when I first come to Solaris, I'm somewhat embarrassed to admit I did just that, created an alias for sudo to pfexec). But having an alternative to sudo was one of those things that made Solaris "different". When OpenSolaris was first released we tracked unsuccessful searches against our package repository - and sudo was as the top of that list.

As part of the modernization effort for Solaris, sudo eventually found its way into OpenSolaris (beginning with the 2008.11 release). However, by that time I was pretty comfortable with pfexec and never looked back - until now that is.

A big change in the Solaris 11 Express release is that pfexec has been rendered relatively toothless out of the box. The "Primary Administrator" profile is no longer assigned to the user created during installation. If you've upgraded from an earlier release of OpenSolaris, you are unaffected by this change. However, on a fresh installation of Solaris 11 Express, commands that used to work will no longer. For example:

bleonard@solaris:~$ pfexec zfs create rpool/myfs
cannot create 'rpool/myfs': permission denied

However, sudo now works just fine:

bleonard@solaris:~$ sudo zfs create rpool/myfs

One big difference you'll notice is that sudo requires a password - and this your password, not the root password (which I'll address in a moment). The lack of a password prompt was the whole reason for the "Primary Administrator" role being dropped in the first place - although sudo can be configured to behave the same.

If you've upgraded to Solaris 11 Express, you have the opposite problem, pfexec still works as you're accustomed, however, sudo reports you to the sudo police.

bleonard@solaris:~$ sudo zfs create rpool/myfs

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

bleonard is not in the sudoers file.  This incident will be reported. 

The report actually shows up in the /var/adm/messages file:

Dec  2 11:21:57 solaris sudo: [ID 702911 auth.alert] bleonard : user NOT in sudoers ; TTY=pts/2 ; PWD=/export/home/bleonard ; USER=root ; COMMAND=/usr/sbin/zfs create rpool/myfs

I'll address setting up sudo at the end of this entry.

The root Password

In the continued simplification of the Solaris 11 Express installer, it now only asks for one password, which is used as the password for both the root account and the initial user account:

However, the root password is immediately expired, as you'll see if you try to switch to root:

bleonard@solaris:~$ su
su: Password for user 'root' has expired
New Password: 

As you no longer have Primary Administrator privileges, GUI tools requiring administrator privileges will now also prompt you for the root password. For example, if you try to start the Package Manger GUI, you'll first be presented with:

There is one little glitch to be aware of - if you attempt to run a GUI that prompts for the root password, and the root password is expired, the GUI just exits. No warning or prompt for a new password is provided. This issue is being addressed: Gksu does not report expired password. So just make sure you attempt an su from the command, and set a new root password, before trying to use the GUI tools that require the root password.

The root Role

If you look at the installer screen capture above, you'll see that the initial user is assigned administrative privileges. Although this is not in the form of the "Primary Administrator" profile, the user created at installation time does have the root role assigned to them.

bleonard@solaris:~$ roles

Some people mistakingly think that having the root role allows them to use pfexec. pfexec stands for Profile Execute, and executes commands against your assigned profiles - not your assigned roles. The root role simply allows you to su to the root user account.

The etc/sudoers file

Now to the reason why sudo works on a fresh install of Solaris 11 Express, but not on a version upgraded from OpenSolaris.  When a command is prefixed with pfexec, it first checks to see if the user executing the command has a profile which allows the execution of that command. Very similarly, when a command is prefixed with sudo, the /etc/sudoers files is first consulted to see the user is allowed to execute that command.

The /etc/sudoers file is well documented and you can defined very fine grained rules as to what a particular user is allowed to do. In the case of the user created during installation, the user is allowed to do everything (just as if they were root). Here's what the entry for my user, bleonard, looks like:

bleonard ALL=(ALL) ALL

The entry above is stating that user bleonard can run any command on any host as any user. For further details on how to fine tune a user's privileges, see the sudoers man page.

So, to configure an instance of Solaris 11 Express upgraded from OpenSolaris to operate like a freshly installed instance, you need to add a line like the above to the /etc/sudoers file. Note that the file is read-only and should be edited using the visudo editor - I hope you like vi :-).

One last note, if you want sudo to behave like pfexec (sans password), make the following tweak to your entry:


Finally, if you're on a fresh install of Solaris 11 Express and want to continue using pfexec, you can add the "Primary Administrator" profile as follows:

bleonard@solaris:~$ sudo usermod -P "Primary Administrator" bleonard
UX: usermod: bleonard is currently logged in, some changes may not take effect until next login.

Now creating that file system works just fine:

bleonard@solaris:~$ pfexec zfs create rpool/myfs

Happy sudoing or pfexecing, whichever you prefer.

Wednesday Jun 23, 2010

Rights Profiles

A Rights Profile gives a user or role the privileges to perform one or more specified tasks. As the Primary Administrator of your system, you might not give rights profiles much thought because you basically have the authority to do everything. However, if you're creating accounts for other users on the system, it's unlikely that you want to also give them Primary Administrator powers.[Read More]

Wednesday Apr 29, 2009

pfexec tip

How many times a day do you type a command in which you inadvertently forget to prepend with pfexec? For example:
bleonard@opensolaris:~$ zfs set compression=on rpool
cannot set property for 'rpool': permission denied
Rather than reentering or editing the previous command, you can quickly re-run it using:
pfexec !!
!! is the bash shortcut for running the previous command.

Tuesday Feb 03, 2009

Allowing ZFS Snapshots

I find myself working with ZFS snapshots quite a bit, and as a convenience, I'd prefer if I didn't have to prefix the commands with pfexec. For example:
pfexec zfs rollback rpool/vbox@clean

Fortunately, it is possible to delegate the permission to run ZFS commands to my user account using zfs allow. For example:

pfexec zfs allow bleonard snapshot,rollback,mount rpool/vbox

Note, the ability to 'mount' is required in order to create and rollback snapshots. See the zfs man page for details.

To see the permissions assigned to a file system:

bleonard@opensolaris:~$ zfs allow rpool/vbox
Local+Descendent permissions on (rpool/vbox)
	user bleonard mount,rollback,snapshot

Now rollbacks are a bit easier:

zfs rollback rpool/vbox@clean

You can delegate any of the zfs commands, including allow. For more details see Delegating ZFS Permissions.

Sunday Sep 21, 2008

The power of pfexec

I recently got a comment on a blog entry I did a while back that explains setting up a multiboot system. The comment was from Peter Jones and he was having trouble editing the menu.lst file.  He had apparently overlooked the exact syntax that I had specified:

pfexec gedit /rpool/boot/grub/menu.lst

From the content of the comment, it appears the problem was that he did not specify pfexec, so he was unable to save changes to the file. 

That got me to thinking about how frequently in these blog entries we use pfexec, and we have never posted a detailed explanation of what it does and why it works. So I made a note to write a blog entry on that topic. 

I was about to write it up when I noticed that Joerg Moellenkamp has recently published a blog entry that pretty much says exactly what I was going to write; check it out at Less known Solaris features: pfexec. In particular, make note of the part at the end where he describes how by default, the userid you create during installation of OpenSolaris 2008.05 has the all-powerful Primary Administrator rights profile assigned to it.


The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.


« July 2016