svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
pfedit(8)
System Administration Commands pfedit(8)
NAME
pfedit - per-file authorized edit of administrative files
SYNOPSIS
pfedit [-r] [-s] file
DESCRIPTION
The pfedit command allows authorized users to edit system configuration
files. The file argument is a pathname of the file to be edited. If
file is not an absolute pathname, the pathname of the current working
directory is prepended, and all further processing proceeds as if that
were the argument. The invoking user must have the authorization
solaris.admin.edit/path_to_file or the blanket authorization
solaris.admin.edit. The pfedit command allows use of symbolic links, by
also checking for authorization for the realpath(3C) of file.
The pfedit command creates a copy of file owned by the invoking user,
then invokes an editor on that file using the id and privileges of the
invoking user. The default editor is /usr/bin/vi, but can be selected
through the use of the EDITOR or VISUAL environment variable; if both
are set, VISUAL has precedence. When the user exits the editor and if
the copied file has been updated, the updated contents are applied
atomically to file. All discretionary access attributes (owner, group,
permissions and ACLs) of file are retained, together with any system or
extended attributes on the original file. In any case, the user-owned
file copy is removed before pfedit exits.
If file does not exist the file will be created with owner root, group
root. The file permissions will be 644 (-rw-r--r--) unless the -s
option is selected, then the file permissions will be 600 (-rw-------).
After creation, the previously described operations are applied that
file. If pfedit has been used to create and modify file, the -r option
can be used to remove file.
The pfedit command sets a discretionary lock on file, so that simulta‐
neous updates by means of pfedit are prohibited.
The pfedit command is careful not to break hard links to other files.
Since the atomic update requires replacement of the existing file with
a new one with the updated contents, pfedit will refuse to operate on a
file with a link count greater than one.
The pfedit command is restricted to editing text files, and will not
accept updates which include non-text characters (NULs).
If configured, in the case of a successful update, an attempt to make
unauthorized use, or if an error occurs, an audit record is generated
to capture the subject, the file name, the authorization used, the file
change if any, and the success or failure of the operation. The audit
event type and default class is one of:
AUE_admin_edit:edit administrative file:as
AUE_admin_file_create:create administrative file:as
AUE_admin_file_remove:remove administrative file:as
OPTIONS
The following option is supported:
-r
Remove specified file (if file has been created by pfedit).
-s
Mark a file "sensitive" (only valid when creating a file with
pfedit). The file will be created with 0600 permissions and will
have the "sensitive" System Attribute.
EXAMPLES
Example 1 Creating a Profile
To create a profile with solaris.admin.edit authorization that can be
assigned to users to modify /etc/syslog.conf, use the profiles(1) com‐
mand.
% profiles -p "syslog Configure"
profiles: syslog Configure> set auths=solaris.admin.edit/etc/syslog.conf
profiles: syslog Configure> set desc="Edit syslog configuration"
profiles: syslog Configure> exit
Example 2 Modifying /etc/syslog.conf
If a user has the "syslog Configure" profile as configured in the pre‐
vious example then invoking:
# pfedit /etc/syslog.conf
...creates a copy of /etc/syslog.conf owned by that user, and by
default invokes /usr/bin/vi running as that user on the copy. When the
user exits the editor, /etc/syslog.conf is atomically updated with the
contents saved by the user.
EXIT STATUS
The pfedit command has an exit value of 0 if it completes successfully,
and a non-zero value if any part of the operation fails.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilityUncom‐
mitted
SEE ALSO
auths(1), passwd(1), profiles(1), fgetattr(3C), realpath(3C),
attributes(7), fsattr(7), groupadd(8), groupdel(8), groupmod(8), user‐
add(8), userdel(8), usermod(8)
NOTES
Oracle Solaris includes administrative configuration files for which
use of pfedit and the solaris.admin.edit/path_to_file authorization is
not recommended. Alternate commands exist which are both domain-spe‐
cific and safer. For example, for the /etc/passwd, /etc/shadow, or
/etc/user_attr files, use instead passwd(1), useradd(8), userdel(8), or
usermod(8). For the /etc/group file, use instead groupadd(8),
groupdel(8), or groupmod(8). For updating /etc/security/auth_attr,
/etc/security/exec_attr, or /etc/security/prof_attr, the preferred com‐
mand is profiles(1).
The ability to modify the contents of some configuration files can be
used to escalate the privileges assigned to the user. Assignment of an
authorization to edit such a file, or of a profile containing such an
authorization, should be considered equivalent to providing full privi‐
leged access.
Files with the "sensitive" System Attribute, including those created
with the -s option, do not have the contents or content changes
included in the audit record.
HISTORY
The -s option and special handling of files with the "sensitive" System
Attribute was added in Oracle Solaris 11.2.0.
The pfedit command was added in Oracle Solaris 11.1.0.
Oracle Solaris 11.4 21 Jun 2021 pfedit(8)