Are you able to specify a the profile you want to use in pfexec?

Question

Are you able to specify which profile you want to use for a given user when using pfexec who has been assigned multiple profiles?

One example for this use is so that we can execute a command as a different user within the same process. In exec_attr, you are able to specify the uid/gid that will be used to execute a particular command as in the following example entry:

Name Service Security:suser:cmd:::/usr/sbin/rpc.nsid:uid=0;gid=0

The above profile will use the super user (uid=0) to execute the rpc.nsid command.

In user_attr, you can specify multiple profiles as below: testuser::::type=normal;profiles=Name Service Security,Object Access Management

Can you then specify directly to use the Object Access Management profile to pfexec?

score 1 · Answer 1 · answered Jul 07 '10 at 02:02

From the [pfexec(1) man page][1]:

Profiles are searched in the order specified in the user's entry in the user_attr(4) database. If the same command appears in more than one profile, the profile shell uses the first matching entry.

So if you put 'Object Access Management' before 'Name Service Security' it'll use that instead.

Are you able to specify a the profile you want to use in pfexec?

1 Answers1