svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
pfcsh(1)
pfexec(1) User Commands pfexec(1)
NAME
pfexec, pfbash, pfcsh, pfksh, pfsh, pftcsh, pfzsh, pfksh93 - execute a
command in a profile
SYNOPSIS
/usr/bin/pfexec command
/usr/bin/pfbash [ options ] [ argument ]...
/usr/bin/pfcsh [ options ] [ argument ]...
/usr/bin/pfksh [ options ] [ argument ]...
/usr/bin/pfsh [ options ] [ argument ]...
/usr/bin/pftcsh [ options ] [ argument ]...
/usr/bin/pfzsh [ options ] [ argument ]...
/usr/bin/pfksh93 [ options ] [ argument ]...
/usr/bin/pfrksh93 [ options ] [ argument ]...
/usr/bin/pfrksh [ options ] [ argument ]...
/usr/sunos/bin/pfksh [ options ] [ argument ]...
/usr/xpg4/bin/pfsh [ options ] [ argument ]...
/usr/bin/pfexec -P privspec command [ arg ]...
DESCRIPTION
The pfexec program sets the PRIV_PFEXEC process flag and marks the cur‐
rent process as a profile shell. It then executes the specified com‐
mand. The kernel queries the exec_attr(5) database and executes with
the appropriate attributes.
Profiles are searched in the order specified in the user's entries in
the user_attr(5) database and policy.conf(5). For each user, there are
two sets of profiles, an authenticated set, and an unauthenticated set.
The user is required to reauthenticate prior to executing commands
which match an entry in the exec_attr(5) database corresponding to the
authenticated profiles set. If the command is executed from a terminal,
the authentication state is cached for the current user and tty, sub‐
ject to the timeout option set for pam_tty_tickets(7) in the PAM stack
/etc/pam.d/pfexec. If there is no current tty, but there is an active
X11 session, the user is prompted to authenticate through a zenity(1)
dialog. This authentication state is cached for the current user and
DISPLAY environment setting.
Processes that have been successfully reauthenticated, including those
that were implicitly authenticated within the timeout value of the
cache, are marked with an additional process flag, PRIV_PFEXEC_AUTH,
which exempts child processes from subsequent reauthentication. Both
the PRIV_PFEXEC and PRIV_PFEXEC_AUTH flags are inherited by child pro‐
cesses unless the real uid is changed.
Commands that match the set of unauthenticated profiles do not require
reauthentication, but have lower precedence than commands in the set of
authenticated profiles. If the same command appears in more than one
profile, the profile shell uses the first matching entry.
The second form, pfexec -P privspec, allows a user to obtain the
additional privileges awarded to the user's profiles in prof_attr(5).
The privileges specification on the command line is parsed using
priv_str_to_set(3C). The resulting privileges are intersected with the
union of the privileges specified using the privs keyword in
prof_attr(5) for all the user's profiles and added to the inheritable
set before executing the command. Privileges from authenticated rights
profiles can be obtained only when the user has already reauthenticated
successfully.
USAGE
pfexec is used to execute commands with predefined process attributes,
such as specific user or group IDs.
Refer to the man pages for each shell for complete usage descriptions
of the profile shells.
EXAMPLES
Example 1 Obtaining additional user privileges
example% pfexec -P all chown user file
This command runs chown user file with all privileges assigned to the
current user, not necessarily all privileges.
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 An error occurred.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os
SEE ALSO
bash(1), csh(1), ksh(1), ksh88(1), profiles(1), sh(1), tcsh(1), zsh(1),
exec_attr(5), prof_attr(5), user_attr(5), attributes(7)
HISTORY
Support for authenticated profiles was added in Oracle Solaris 11.2.0.
The pfexec command was added in Solaris 8.
Oracle Solaris 11.4 21 Jun 2021 pfexec(1)