allow user not root to tcpdump

[costantino]

Hi,

I need to allowed a user not root to make tcpdump in a server with
"SunOS NetmanSec 5.10 Generic_125100-05 sun4u sparc SUNW".

When I try to use the sniffer I receive the error
"tcpdump: /dev/ce: Permission denied"

but if I look the devise seems with the right grant
lrwxrwxrwx 1 root root 28 Jun 25 2007 /dev/ce ->
../devices/pseudo/clone@0:ce

Can you give me an help

thanks

C

[Ike Naar]

In article <4a3b3e37$0$708$5fc...@news.tiscali.it>,

You're looking at the permissions of the symbolic link.
To check the permissions of the actual device, use

ls -lL /dev/ce

Regards,
Ike

[ThanksButNo]

Take a look at "man rbac", for controlled security access
that's already native to Solaris, or google for "sudo" for
a Gnu product you can download and use.

\:-\

[costantino]

Ike Naar ha scritto:

Hi Ike,

Thanks a lot, this is the actual configuration
"crw------- 1 root sys 11, 80 Jun 25 2007 /dev/ce"
just a last question, I must just modify the permission?
For example I can put the "r" grant for all like this: "crw----r--"

thanks

C

[Tim Bradshaw]

On Jun 19, 12:21 pm, costantino <co...@gmail.com> wrote:

> Thanks a lot, this is the actual configuration
> "crw-------   1 root     sys       11, 80 Jun 25  2007 /dev/ce"
> just a last question, I must just modify the permission?
> For example I can put the "r" grant for all like this: "crw----r--"

you really want to do this via RBAC or sudo, not like this.

[costantino]

ThanksButNo ha scritto:

Hi ThanksButNot,

i'm looking for rbac but I hope that will be enought cange the
permission of the device

M

[costantino]

Tim Bradshaw ha scritto:

I Tim,

I have the root access, so I would not use RBAC o sudo but just the
comand "chmod 604". It's a wrong way for you?

M

[Doug McIntyre]

>I Tim,

This should work for you, but realize that after this change, you'll
let every user on this machine be able to read all network traffic
going in and out of this machine, including all passwords if they go
over the clear. If you forget to change it back, this ability will
be most likely there forever, creating a huge security hole for you.

With RBAC or sudo, you at least restrict back to the ability to just
that user the ability to do the one command you want at an elevated
ability with logging of what they did.

Thats a whole lot better security wise..

[ThanksButNo]

Changing the permission on the device will work -- but I would
suggest reading Doug McIntyre's response on this thread.

Setting up a controlled access with rbac *is* the superior
option. It will give you what you need without creating too
many security risks.

Security may not be an issue for you *now* -- but it's likely
to be an issue in the future.

/:-/

[Alessandro Selli]

ThanksButNo wrote:

[...]

> Security may not be an issue for you *now* -- but it's likely
> to be an issue in the future.

Indeed.
If, for whatever reason, neither sudo nor rbac can be deployed in a
particular environment, then one could make a tcpdump group, set the
tcpdump executable to belong to that group, mode 4750, and add the users
that are to be able to execute tcpdump as root to the tcpdump group.

Or, /devices/pseudo/clone@0:ce could be set to belong to the tcpdump
group, mode 640.

--
Alessandro Selli http://alessandro.route-add.net
AVVERTENZA: i messaggi inviati a "trappola" non mi arriveranno.
WARNING: messages sent to "trappola" will never reach me.
Chiave PGP/GPG key: EC885A8B

[Costantino]

costantino ha scritto:

> Hi,
>
[cut]
>
> C

Hi Guys,
for first let me said "Thank You"
Your suggest helps me very much.
I'm oriented to use SUID comand for tcpdump (I don't know if this is a
good way but now seems the more easy).
Rbac seems to be to much difficoult for me(usually I don't work on sun OS)

Thank's again

have good day

Costa