In April 2014, I wrote a blog describing the use of authenticated rights profiles in Oracle Solaris 11.2. As the name implies, the rights assigned via authenticated profiles are only available after the user has been re-authenticated. In previous Solaris 11 releases the initial account that is created during system installation was granted access to sudo(8), the root role, and the System Administrator rights profile. In Oracle Solaris 11.4 the System Administrator assignment is specified using the auth_profiles keyword, so that re-authentication is required when using pfexec(1).  As is the case with sudo, a tty ticketing mechanism is used so that re-authentication is generally not required within a five-minute window.

 

While the choice of using sudo or pfexec may seem to be a matter of taste, the latter is optimized for Oracle Solaris, providing features like fine-grained auditing and fine-grained process attributes like extended policy privileges and process clearance. But I think the most interesting advantage is that commands in authenticated rights profiles are automatically recognized by the kernel without requiring sudo, pfexec, or special file permissions. Unlike sudo and su(8), which are set-uid-to-root binaries, pfexec is an unprivileged program. All of the available profiles shells (pfbash, pfsh, pfcsh, etc.) are simply hard links to pfexec. When your shell is pfbash you are be automatically challenged to re-authenticate when you execute any commands that have been assigned to you via authenticated profiles.

 

The architecture by which this is accomplished is based on two process flags, PRIV_PFEXEC and PRIV_PFEXEC_AUTH, and two helper programs, pfexecd and pfexec_auth. The steps are shown in the following two flow charts (click to enlarge):

 

authprof1.png

 

Setting the PRIV_PFEXEC process flag is an unprivileged operation which is set by pfexec, and inherited by child processes. If this flag is set on a process being executed, the kernel makes a door up call to pfexecd, which invokes the name service to retrieve any process attributes that have been assigned to the user. If found, these attributes are returned to the kernel and applied to the process being executed.

 

authprof2.png

However, if the command's RBAC attributes are found in an authenticated profile, and the process does not have the PRIV_PFEXEC_AUTH flag set, then the kernel executes the helper process pfexec_auth as root, in place of the original command, passing it the original user context. This helper process starts a PAM session using  the /etc/pam.d/pfexec stack. If the re-authentication is successful, pfexec_auth uses its privilege, proc_setid, to set the PRIV_PFEXEC_AUTH flag. If the user cancels the re-authentication challenge, then the PRIV_PFEXEC flag is cleared. In either case the original command is re-executed. If the the authentication is unsuccessful, then the original command is not executed.