Discussion:
pfexec does not work any longer
Andrew Watkins
2011-11-11 17:37:01 UTC
Permalink
I have lost the ability of making a user have access to root on Solaris
11 using the command pfexec.

On the old Solaris 11 express box it works:
===========================================
% grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
% id
uid=102(andrew) gid=10(staff)
% pfexec id
uid=0(root) gid=0(root)

Now on Solaris 11 it does not:
==============================
grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root

% id
uid=102(andrew) gid=10(staff)
% pfexec id
uid=102(andrew) gid=10(staff)


What do I have to do to get pfexec working again?

Cheers,

Andrew
--
Andrew Watkins * Birkbeck College
http://notallmicrosoft.blogspot.com/
Alan Coopersmith
2011-11-11 17:52:48 UTC
Permalink
Post by Andrew Watkins
==============================
grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
Solaris 11 no longer includes the Primary Administrator profile.
--
-Alan Coopersmith- alan.coopersmith-QHcLZuEGTsvQT0dZR+***@public.gmane.org
Oracle Solaris Platform Engineering: X Window System
Ian Collins
2011-11-11 18:55:38 UTC
Permalink
Post by Alan Coopersmith
Post by Andrew Watkins
==============================
grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
Solaris 11 no longer includes the Primary Administrator profile.
So what is the equivalent?
--
Ian.
Shawn Walker
2011-11-11 19:07:44 UTC
Permalink
Post by Ian Collins
Post by Alan Coopersmith
Post by Andrew Watkins
==============================
grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
Solaris 11 no longer includes the Primary Administrator profile.
So what is the equivalent?
sudo is now the preferred default mechanism for authentication.

It also caches the authentication for a short period before requiring it
again.


-Shawn
Joerg.Schilling-8LS2qeF34IpklNlQbfROjRvVK+ (Joerg Schilling)
2011-11-11 20:03:49 UTC
Permalink
Post by Andrew Watkins
I have lost the ability of making a user have access to root on Solaris
11 using the command pfexec.
Allowing people to become root with pfexec is a secutity hole that I decribed
years ago.

People wo succeed to run commands via vulnerabilities of e.g. the browser will
be able to gain root privileges with no extra effort as there is no passwd.

Jörg
--
EMail:joerg-3Qm2Liu6aU2sY6utFDHCwYAplN+***@public.gmane.org (home) Jörg Schilling D-13353 Berlin
js-CFLBMwTPW48UNGrzBIF7/***@public.gmane.org (uni)
joerg.schilling-8LS2qeF34IpklNlQbfROjRvVK+***@public.gmane.org (work) Blog: http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily
Brian Cameron
2011-11-14 19:36:24 UTC
Permalink
Andrew:

The functional replacement of the "Primary Administrator" RBAC profile
is "System Administrator". If you use this instead, you should find
that your use is able to run programs with pfexec in much the same way
as you used to do with "Primary Administrator".

Note that if you setup your login shell to a shell like pfsh, pfksh,
pfcsh, pfbash, ..., then you do not have to run programs with pfexec
when needed. With these shells, pfexec is automatically used when
needed.

If you want users to need to enter a role password in order to run
programs, you can also configure the user to have access to a role
which has the needed privileges (e.g. root). If RBAC is configured
this way, then the panel will present the dialog to enter this role
password before running such programs. But, it sounds like you more
just want to use the "System Administrator" profile and avoid needing
to enter passwords.

Others have recommended "sudo". The sudo program is useful for those
people who find it the best way to configure a needed system. That
said, using sudo to just avoid the use of RBAC is probably not the best
use.

Brian
Post by Andrew Watkins
I have lost the ability of making a user have access to root on Solaris
11 using the command pfexec.
===========================================
% grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
% id
uid=102(andrew) gid=10(staff)
% pfexec id
uid=0(root) gid=0(root)
==============================
grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
% id
uid=102(andrew) gid=10(staff)
% pfexec id
uid=102(andrew) gid=10(staff)
What do I have to do to get pfexec working again?
Cheers,
Andrew
Andrew Watkins
2011-11-16 10:26:35 UTC
Permalink
Brian,

Thanks for the information, but it does not work. I will have another
look at the documentation, since I may be missing something in the new
release.

Andrew
Post by Brian Cameron
The functional replacement of the "Primary Administrator" RBAC profile
is "System Administrator". If you use this instead, you should find
that your use is able to run programs with pfexec in much the same way
as you used to do with "Primary Administrator".
Note that if you setup your login shell to a shell like pfsh, pfksh,
pfcsh, pfbash, ..., then you do not have to run programs with pfexec
when needed. With these shells, pfexec is automatically used when
needed.
If you want users to need to enter a role password in order to run
programs, you can also configure the user to have access to a role
which has the needed privileges (e.g. root). If RBAC is configured
this way, then the panel will present the dialog to enter this role
password before running such programs. But, it sounds like you more
just want to use the "System Administrator" profile and avoid needing
to enter passwords.
Others have recommended "sudo". The sudo program is useful for those
people who find it the best way to configure a needed system. That
said, using sudo to just avoid the use of RBAC is probably not the best
use.
Brian
Post by Andrew Watkins
I have lost the ability of making a user have access to root on Solaris
11 using the command pfexec.
===========================================
% grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
% id
uid=102(andrew) gid=10(staff)
% pfexec id
uid=0(root) gid=0(root)
==============================
grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
% id
uid=102(andrew) gid=10(staff)
% pfexec id
uid=102(andrew) gid=10(staff)
What do I have to do to get pfexec working again?
Cheers,
Andrew
--
Andrew Watkins * Birkbeck College
http://notallmicrosoft.blogspot.com/
Casper.Dik-QHcLZuEGTsvQT0dZR+
2011-11-16 11:07:16 UTC
Permalink
Post by Andrew Watkins
Brian,
Thanks for the information, but it does not work. I will have another
look at the documentation, since I may be missing something in the new
release.
Andrew
pfexec was only intended for "roles" and not for ordinary users; the
Primary Administrator was dangerous but when it was assigned to a role,
it wasn't that dangerous as assigning it to a user. The first one
requires a second password "su role cmd" but the latter one makes it
easy to exploit the system from any account assigned that role.

We felt that having "pfexec id" print "uid=0(root) gid=0(root)" is a bug,
not a feature. There is no profiles in Solaris 11 which delivers that
functionality.

You can tell "su" to work like sudo by enabling pam_tty_tickets.so(1)
(Yes, it is a bug that it is in that section and with that name)

With the old "Primary Administrator" was really clear when you run with
a profile shell: the shell is started as root and you get a "#" prompt.

Of course, you can reinvent "Primary Administrator" but we recommend
against that.

Casper
Brian Cameron
2011-11-16 15:00:31 UTC
Permalink
Post by Andrew Watkins
Thanks for the information, but it does not work. I will have another
look at the documentation, since I may be missing something in the new
release.
For example, I use a line like this /etc/user_attr file for each user
that needs to have root role access:

user::::roles=root;profiles=System
Administrator,punchin;lock_after_retries=no

You can omit the ",punchin" if you don't use it, of course.

But you say it does not work. If you are using a user with settings
like this in /etc/user_attr, and if you are seeing issues, then what
does not seem to be working right?

Also, Darren is right that the GNOME Panel does not support the
sudo-like default of not requiring re-authentication for a period
of time. But note that the panel should not pop up dialogs asking
for passwords if your user is associated with the "System
Administrator" profile, only if your user does not, but has access to
the "root" role. So, it is pretty easy to configure users with RBAC
to not require passwords to run the programs needed.

Brian
Post by Andrew Watkins
Post by Brian Cameron
The functional replacement of the "Primary Administrator" RBAC profile
is "System Administrator". If you use this instead, you should find
that your use is able to run programs with pfexec in much the same way
as you used to do with "Primary Administrator".
Note that if you setup your login shell to a shell like pfsh, pfksh,
pfcsh, pfbash, ..., then you do not have to run programs with pfexec
when needed. With these shells, pfexec is automatically used when
needed.
If you want users to need to enter a role password in order to run
programs, you can also configure the user to have access to a role
which has the needed privileges (e.g. root). If RBAC is configured
this way, then the panel will present the dialog to enter this role
password before running such programs. But, it sounds like you more
just want to use the "System Administrator" profile and avoid needing
to enter passwords.
Others have recommended "sudo". The sudo program is useful for those
people who find it the best way to configure a needed system. That
said, using sudo to just avoid the use of RBAC is probably not the best
use.
Brian
Post by Andrew Watkins
I have lost the ability of making a user have access to root on Solaris
11 using the command pfexec.
===========================================
% grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
% id
uid=102(andrew) gid=10(staff)
% pfexec id
uid=0(root) gid=0(root)
==============================
grep andrew /etc/user_attr
andrew::::profiles=Primary Administrator;roles=root
% id
uid=102(andrew) gid=10(staff)
% pfexec id
uid=102(andrew) gid=10(staff)
What do I have to do to get pfexec working again?
Cheers,
Andrew
Sean Sprague
2011-11-16 14:36:09 UTC
Permalink
Andrew,
Post by Andrew Watkins
I have lost the ability of making a user have access to root on
Solaris 11 using the command pfexec.
As an adjunct, I have a memory that a number of years ago, that someone
high up in Security (Glenn or Scott) said "you are not supposed to use
pfexec for that". At the time, this comment was largely ignored, because
doing this with pfexec just worked. It now looks like this oversight has
been rectified.

Regards... Sean.
Loading...