pfedit(8) 맨 페이지 - 윈디하나의 솔라나라


맨 페이지 이름


System Administration Commands                                       pfedit(8)

       pfedit - per-file authorized edit of administrative files

       pfedit [-r] [-s] file

       The pfedit command allows authorized users to edit system configuration
       files. The file argument is a pathname of the file  to  be  edited.  If
       file  is  not an absolute pathname, the pathname of the current working
       directory is prepended, and all further processing proceeds as if  that
       were  the  argument.  The  invoking  user  must  have the authorization
       solaris.admin.edit/path_to_file   or    the    blanket    authorization
       solaris.admin.edit. The pfedit command allows use of symbolic links, by
       also checking for authorization for the realpath(3C) of file.

       The pfedit command creates a copy of file owned by the  invoking  user,
       then  invokes an editor on that file using the id and privileges of the
       invoking user. The default editor is /usr/bin/vi, but can  be  selected
       through  the  use of the EDITOR or VISUAL environment variable; if both
       are set, VISUAL has precedence. When the user exits the editor  and  if
       the  copied  file  has  been  updated, the updated contents are applied
       atomically to file. All discretionary access attributes (owner,  group,
       permissions and ACLs) of file are retained, together with any system or
       extended attributes on the original file. In any case,  the  user-owned
       file copy is removed before pfedit exits.

       If  file does not exist the file will be created with owner root, group
       root. The file permissions will  be  644  (-rw-r--r--)  unless  the  -s
       option is selected, then the file permissions will be 600 (-rw-------).
       After creation, the previously described operations  are  applied  that
       file.  If pfedit has been used to create and modify file, the -r option
       can be used to remove file.

       The pfedit command sets a discretionary lock on file, so that  simulta‐
       neous updates by means of pfedit are prohibited.

       The  pfedit  command is careful not to break hard links to other files.
       Since the atomic update requires replacement of the existing file  with
       a new one with the updated contents, pfedit will refuse to operate on a
       file with a link count greater than one.

       The pfedit command is restricted to editing text files,  and  will  not
       accept updates which include non-text characters (NULs).

       If  configured,  in the case of a successful update, an attempt to make
       unauthorized use, or if an error occurs, an audit record  is  generated
       to capture the subject, the file name, the authorization used, the file
       change if any, and the success or failure of the operation.  The  audit
       event type and default class is one of:

         AUE_admin_edit:edit administrative file:as
         AUE_admin_file_create:create administrative file:as
         AUE_admin_file_remove:remove administrative file:as

       The following option is supported:


           Remove specified file (if file has been created by pfedit).


           Mark  a  file  "sensitive"  (only  valid  when creating a file with
           pfedit). The file will be created with 0600  permissions  and  will
           have the "sensitive" System Attribute.

       Example 1 Creating a Profile

       To  create  a profile with solaris.admin.edit authorization that can be
       assigned to users to modify /etc/syslog.conf, use the profiles(1)  com‐

         % profiles -p "syslog Configure"
         profiles: syslog Configure> set auths=solaris.admin.edit/etc/syslog.conf
         profiles: syslog Configure> set desc="Edit syslog configuration"
         profiles: syslog Configure> exit

       Example 2 Modifying /etc/syslog.conf

       If  a user has the "syslog Configure" profile as configured in the pre‐
       vious example then invoking:

         # pfedit /etc/syslog.conf

       ...creates a copy of  /etc/syslog.conf  owned  by  that  user,  and  by
       default  invokes /usr/bin/vi running as that user on the copy. When the
       user exits the editor, /etc/syslog.conf is atomically updated with  the
       contents saved by the user.

       The pfedit command has an exit value of 0 if it completes successfully,
       and a non-zero value if any part of the operation fails.

       See attributes(7) for descriptions of the following attributes:

       tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE  TYPEAT‐
       TRIBUTE  VALUE _ Availabilitysystem/core-os _ Interface StabilityUncom‐

       auths(1),   passwd(1),   profiles(1),    fgetattr(3C),    realpath(3C),
       attributes(7),  fsattr(7), groupadd(8), groupdel(8), groupmod(8), user‐
       add(8), userdel(8), usermod(8)

       Oracle Solaris includes administrative configuration  files  for  which
       use  of pfedit and the solaris.admin.edit/path_to_file authorization is
       not recommended. Alternate commands exist which  are  both  domain-spe‐
       cific  and  safer.  For  example,  for the /etc/passwd, /etc/shadow, or
       /etc/user_attr files, use instead passwd(1), useradd(8), userdel(8), or
       usermod(8).   For   the   /etc/group  file,  use  instead  groupadd(8),
       groupdel(8),  or  groupmod(8).  For  updating  /etc/security/auth_attr,
       /etc/security/exec_attr, or /etc/security/prof_attr, the preferred com‐
       mand is profiles(1).

       The ability to modify the contents of some configuration files  can  be
       used  to escalate the privileges assigned to the user. Assignment of an
       authorization to edit such a file, or of a profile containing  such  an
       authorization, should be considered equivalent to providing full privi‐
       leged access.

       Files with the "sensitive" System Attribute,  including  those  created
       with  the  -s  option,  do  not  have  the  contents or content changes
       included in the audit record.

       The -s option and special handling of files with the "sensitive" System
       Attribute was added in Oracle Solaris 11.2.0.

       The pfedit command was added in Oracle Solaris 11.1.0.

Oracle Solaris 11.4               21 Jun 2021                        pfedit(8)
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.