18:28:10 <warden> Hi to all, I wish to delegate to a friend the ability to run snoop or tcpdump on my server. I assigned it the "Network Manager" profile, but still tcpdump returns this error:
18:28:36 <warden> "You don't have permission to perform this capture on that device (Attempt to open DLPI device failed with EACCES - root privilege may be required)" 
18:29:28 <warden> anyone can suggest me which permission/RBAC privilege should I assign to him in order to make it work?
19:05:12 <tomww> pfexec snoop    or pfexec tcpdump
19:05:59 <warden> yes, but which RBAC profile is needed to let him capture network traffic?
19:07:25 <tomww> maybe several ways to achieve this. you could sudo like enable running as root for the snoop or tcpdump tool.
19:08:19 <tomww> or you could see for the needed network priviledges and alloe this. Just remember that changing the permissions might need re-logon for the user to get the permissions active.
19:08:49 <tomww> the user could run "profiles -l" and see what is currently active.
19:09:42 <warden> after a bit of research, I fount that it seems to be required the "raw_access" privilege, so I created a file '/etc/seciruty/prof_attr.d/custom' with this content:
19:09:46 <warden> Network RAWaccess:::Allow direct access to network layer:privs=net_rawaccess;help=None.html
19:09:59 <warden> then I refreshed the rbac service
19:11:11 <warden> now the user, whom I assigned the "Network RAWaccess" profile to, is able to capture traffic! :) But I do not know if tis is the right way to use RBAC based permissions... it's ok?
19:13:36 <tomww> you could try assigning net_observability
19:15:36 <warden> Thanks, I’ll try ASAP (my client just crashed)… but the way I set the RBAC profile is the right one? I have very little experience with RBAC
19:17:06 <tomww> you might go with using the tools to assing a role to the user instead of editing the files in /etc/security
19:18:43 <tomww> for instance add a line to /etc/user_attr like this   frank::::profiles=Network Observability
19:22:47 <warden> ok, thanks. But assigning that account the existing profile "Network Observability" does not allow him to capture traffic. For this I thought it was necessary to define a new custom profile, which has the raw_access privilege
19:53:00 <warden> Since my custom-defined profile did not show up in the "profile -l" output, I followed the example I found for the "Network Observability" profile. I wrote this in /etc/security/exec_attr.d/custom:
19:53:22 <warden> Network Direct Access:solaris:cmd:::/usr/sbin/snoop:privs=net_rawaccess
19:54:02 <warden> And this line in /etc/security/prof_attr/custom:
19:54:22 <warden> Network Direct Access:::Allow direct access to network layer:privs=net_rawaccess;help=None.html
19:55:32 <warden> then I issued "svcadm refresh rbac" and assigned the "Network Direct Access" profile to the user, which now is allowed to capture network traffic with this command:
19:56:06 <warden> pfexec tcpdump -i [...]
19:57:16 <warden> also, the "profile -l" command shows the details: https://paste.omnios.org/?567cc5848ac2de24#8DngVsQ2KGbpQGr1psVh5NDWkR6dhGsdLqvbWfGyPv3