By Brian Leonard on Dec 02, 2010
We here in Solaris land have expended a lot of energy in the past explaining pfexec. In the simplest case it was described as an alias for sudo (and when I first come to Solaris, I'm somewhat embarrassed to admit I did just that, created an alias for sudo to pfexec). But having an alternative to sudo was one of those things that made Solaris "different". When OpenSolaris was first released we tracked unsuccessful searches against our package repository - and sudo was as the top of that list.
As part of the modernization effort for Solaris, sudo eventually found its way into OpenSolaris (beginning with the 2008.11 release). However, by that time I was pretty comfortable with pfexec and never looked back - until now that is.
A big change in the Solaris 11 Express release is that pfexec has been rendered relatively toothless out of the box. The "Primary Administrator" profile is no longer assigned to the user created during installation. If you've upgraded from an earlier release of OpenSolaris, you are unaffected by this change. However, on a fresh installation of Solaris 11 Express, commands that used to work will no longer. For example:
bleonard@solaris:~$ pfexec zfs create rpool/myfs cannot create 'rpool/myfs': permission denied
However, sudo now works just fine:
bleonard@solaris:~$ sudo zfs create rpool/myfs Password:
One big difference you'll notice is that sudo requires a password - and this your password, not the root password (which I'll address in a moment). The lack of a password prompt was the whole reason for the "Primary Administrator" role being dropped in the first place - although sudo can be configured to behave the same.
If you've upgraded to Solaris 11 Express, you have the opposite problem, pfexec still works as you're accustomed, however, sudo reports you to the sudo police.
bleonard@solaris:~$ sudo zfs create rpool/myfs We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: bleonard is not in the sudoers file. This incident will be reported.
The report actually shows up in the /var/adm/messages file:
Dec 2 11:21:57 solaris sudo: [ID 702911 auth.alert] bleonard : user NOT in sudoers ; TTY=pts/2 ; PWD=/export/home/bleonard ; USER=root ; COMMAND=/usr/sbin/zfs create rpool/myfs
I'll address setting up sudo at the end of this entry.
The root Password
In the continued simplification of the Solaris 11 Express installer, it now only asks for one password, which is used as the password for both the root account and the initial user account:
However, the root password is immediately expired, as you'll see if you try to switch to root:
bleonard@solaris:~$ su Password: su: Password for user 'root' has expired New Password:
As you no longer have Primary Administrator privileges, GUI tools requiring administrator privileges will now also prompt you for the root password. For example, if you try to start the Package Manger GUI, you'll first be presented with:
The root Role
If you look at the installer screen capture above, you'll see that the initial user is assigned administrative privileges. Although this is not in the form of the "Primary Administrator" profile, the user created at installation time does have the root role assigned to them.
bleonard@solaris:~$ roles root
Some people mistakingly think that having the root role allows them to use pfexec. pfexec stands for Profile Execute, and executes commands against your assigned profiles - not your assigned roles. The root role simply allows you to su to the root user account.
The etc/sudoers file
Now to the reason why sudo works on a fresh install of Solaris 11 Express, but not on a version upgraded from OpenSolaris. When a command is prefixed with pfexec, it first checks to see if the user executing the command has a profile which allows the execution of that command. Very similarly, when a command is prefixed with sudo, the /etc/sudoers files is first consulted to see the user is allowed to execute that command.
The /etc/sudoers file is well documented and you can defined very fine grained rules as to what a particular user is allowed to do. In the case of the user created during installation, the user is allowed to do everything (just as if they were root). Here's what the entry for my user, bleonard, looks like:
bleonard ALL=(ALL) ALL
The entry above is stating that user bleonard can run any command on any host as any user. For further details on how to fine tune a user's privileges, see the sudoers man page.
So, to configure an instance of Solaris 11 Express upgraded from OpenSolaris to operate like a freshly installed instance, you need to add a line like the above to the /etc/sudoers file. Note that the file is read-only and should be edited using the visudo editor - I hope you like vi :-).
One last note, if you want sudo to behave like pfexec (sans password), make the following tweak to your entry:
bleonard ALL=(ALL) NOPASSWD: ALL
Finally, if you're on a fresh install of Solaris 11 Express and want to continue using pfexec, you can add the "Primary Administrator" profile as follows:
bleonard@solaris:~$ sudo usermod -P "Primary Administrator" bleonard Password: UX: usermod: bleonard is currently logged in, some changes may not take effect until next login.
Now creating that file system works just fine:
bleonard@solaris:~$ pfexec zfs create rpool/myfs
Happy sudoing or pfexecing, whichever you prefer.