They are great but have to be used with caution, upon "best practices".
One important point to highlight, possibly as a best practice, is that built-in rights profiles, prof_attr(4), those located in /etc/security/prof_attr.d and also viewable with profiles(1), may exhibit unexpected behavior if combined with profile shells.
Example:
$ who am i
prime pts/3 Jun 24 11:26 (:0.0)
$ whoami
prime
$ mkdir test
$ ll -d test
drwxr-xr-x 2 root staff 117 Jun 24 11:28 test
$ ll -d /tmp
drwxrwxrwt 18 root sys 2.2K Jun 24 11:28 /tmp
$ pkg info entire | grep Version
Version: 0.5.11 (Oracle Solaris 11.1.8.4.0)
$ id -a
uid=60004(prime) gid=10(staff) groups=10(staff)
$ getent passwd prime
prime:x:60004:10:Prime Admin:/home/prime:/usr/bin/pfbash
$ getent passwd 60004
prime:x:60004:10:Prime Admin:/home/prime:/usr/bin/pfbash
$ getent user_attr prime
prime::::type=normal;...;profiles=System Administrator;roles=...
As seen above, unexpected side-effects, such as persistent file system attributes (in this case just the ownership), takes place: if the same user (in this case prime) subsequently tries to put something in /tmp/test, it won't succeed because under the System Administrator rights profile, cp(1) or mv(1) don't have the same privilege elevation (uid=0) as mkdir(1).
Still in other words:
Profile shells provides automatic temporary privilege elevation.I'd say profile shells are convenient and recommended only when it can be assured that the side-effects aren't persistent or harmful. As it's impossible to control this for the built-in rights profiles, it's better to avoid combining them.
The automation is handy, unless there are persistent side-effects.
Hence it's still better to explicitly use the traditional pfexec(1) instead of specifying (with the -e option) a profile shell to passwd(1). Indeed, pfexec(1) is still more convenient and safer than the ubiquitous sudo(1m).
Nevertheless, in this particular example, I shall investigate if somehow the authorization solaris.file.owner from /etc/security/auth_attr.d/core-os mitigates the issue.
