About RBAC and using pfexec
In SmartOS, Role Based Access Control (RBAC) offers system administrators a wide degree of flexibility and power for managing user access rights. One of the keys to using RBAC is managing access through a Rights profile shell. A Rights profile is a collection of administrative capabilities that system administrators can assign to a role or to a user.
System administrators can define specific commands normally reserved for root access that normal users can run from a specific profile. This eliminates the hazard of distributing root access to normal users who only need to run specific commands that require root access.
Sudo vs. pfexec
One of the main problems with sudo
is the lack of privilege awareness. This means for normal users, sudo
is an "all or nothing" proposition in terms of granting users access to the entire system. Like sudo
, running a pfexec
command is done by simply prepending pfexec
before the command. The command will execute as if the user has root privileges provided the command is available to the profile shell.
Other advantages/disadvantages of using pfexec
vs. using sudo
are below.
Advantages of using sudo
- Cross-platform compatible
- Support for control of CLI arguments
- Support for setting per command environment variables
Advantages of using pfexec
- Offers complete granularity for defining privileges
- Never have to expose root login credentials to normal users
- Taking away root privileges is as easy as removing the profile that grants root privileges from the user's account