Hi to all, I wish to delegate to a friend the ability to run snoop or tcpdump on my server. I assigned it the "Network Manager" profile, but still tcpdump returns this error:

"You don't have permission to perform this capture on that device (Attempt to open DLPI device failed with EACCES - root privilege may be required)"

anyone can suggest me which permission/RBAC privilege should I assign to him in order to make it work?

pfexec snoop or pfexec tcpdump

yes, but which RBAC profile is needed to let him capture network traffic?

maybe several ways to achieve this. you could sudo like enable running as root for the snoop or tcpdump tool.

or you could see for the needed network priviledges and alloe this. Just remember that changing the permissions might need re-logon for the user to get the permissions active.

the user could run "profiles -l" and see what is currently active.

after a bit of research, I fount that it seems to be required the "raw_access" privilege, so I created a file '/etc/seciruty/prof_attr.d/custom' with this content:

Network RAWaccess:::Allow direct access to network layer:privs=net_rawaccess;help=None.html

then I refreshed the rbac service

now the user, whom I assigned the "Network RAWaccess" profile to, is able to capture traffic! :) But I do not know if tis is the right way to use RBAC based permissions... it's ok?

you could try assigning net_observability

Thanks, I’ll try ASAP (my client just crashed)… but the way I set the RBAC profile is the right one? I have very little experience with RBAC

you might go with using the tools to assing a role to the user instead of editing the files in /etc/security

for instance add a line to /etc/user_attr like this frank::::profiles=Network Observability

ok, thanks. But assigning that account the existing profile "Network Observability" does not allow him to capture traffic. For this I thought it was necessary to define a new custom profile, which has the raw_access privilege

Since my custom-defined profile did not show up in the "profile -l" output, I followed the example I found for the "Network Observability" profile. I wrote this in /etc/security/exec_attr.d/custom:

Network Direct Access:solaris:cmd:::/usr/sbin/snoop:privs=net_rawaccess

And this line in /etc/security/prof_attr/custom:

Network Direct Access:::Allow direct access to network layer:privs=net_rawaccess;help=None.html

then I issued "svcadm refresh rbac" and assigned the "Network Direct Access" profile to the user, which now is allowed to capture network traffic with this command:

pfexec tcpdump -i [...]

also, the "profile -l" command shows the details: paste.omnios.org/?567cc5848ac2de24#…KGbpQGr1psVh5NDWkR6dhGsdLqvbWfGyPv3