xref: /illumos-gate/usr/src/man/man1/pfexec.1 (revision dd72704bd9e794056c558153663c739e2012d721)
te
Copyright (c) 2003, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
PFEXEC 1 "Jul 8, 2016"
NAME
pfexec, pfsh, pfcsh, pfksh - execute a command in a profile
SYNOPSIS

/usr/bin/pfexec command

/usr/bin/pfexec -P privspec command [ arg ]...

/usr/bin/pfsh [ options ] [ argument ]...

/usr/bin/pfcsh [ options ] [ argument ]...

/usr/bin/pfksh [ options ] [ argument ]...
DESCRIPTION

The pfexec program is used to execute commands with the attributes specified by the user's profiles in the exec_attr(5) database. It is invoked by the profile shells, pfsh, pfcsh, and pfksh which are linked to the Bourne shell, C shell, and Korn shell, respectively.

Profiles are searched in the order specified in the user's entry in the user_attr(5) database. If the same command appears in more than one profile, the profile shell uses the first matching entry.

The second form, pfexec -P privspec, allows a user to obtain the additional privileges awarded to the user's profiles in prof_attr(5). The privileges specification on the commands line is parsed using priv_str_to_set(3C). The resulting privileges are intersected with the union of the privileges specified using the "privs" keyword in prof_attr(5) for all the user's profiles and added to the inheritable set before executing the command.

For pfexec to function correctly, the pfexecd daemon must be running in the current zone. This is normally managed by the "svc:/system/pfexec:default" SMF service (see smf(7)).

USAGE

pfexec is used to execute commands with predefined process attributes, such as specific user or group IDs.

Refer to the sh(1), csh(1), and ksh(1) man pages for complete usage descriptions of the profile shells.

EXAMPLES

Example 1 Obtaining additional user privileges

example% pfexec -P all chown user file

This command runs chown user file with all privileges assigned to the current user, not necessarily all privileges.

EXIT STATUS

The following exit values are returned: 0

Successful completion.

1

An error occurred.

SEE ALSO

csh (1), ksh (1), profiles (1), sh (1), exec_attr (5), prof_attr (5), user_attr (5), attributes (7), smf (7)