get pfexec back in Solaris
If you tried Solaris 11 or OpenIndiana in a fresh installation, you may have noticed, that pfexec may not work the way you are used to. I asked in #openindiana on
irc.freenode.org and I was told, that the behavior was changed. OpenSolaris was used to have an
Primary Administrator profile which got assigned to the first account created on the installation. The problem with that is the same as on Windows - you are doing everything with the administrator or root account. To avoid that, sudo was introduced, which needs the password of your account with the default settings. What both tools are very different at what they do and at what they are good at. So it’s up to the administrator to define secure roles where appropriate and use sudo rules for the parts, which have to be more secured.
If you want back the old behavior, these two steps should be enough. But keep in mind, that it is important that you secure your system, to avoid misuse.
- there should be line like the following in
Primary Administrator:::Can perform all administrative tasks:auths=solaris.*,solaris.grant;help=RtPriAdmin.html
- if there is, then you can add that profile to your user with
usermod -P'Primary Administrator
It is possible to combine these two mechanics too. You could build a zone to ssh into the box with a key and from there, ssh with sudo and a password into the internal systems.