|
RBAC provides functionality built into Solaris 8 similar to the sudo command. For our purposes we wish to use it to allow students limited ability to sniff packets. Needless to say this must be done carefully. In my course I allowed this on one machine in a lab behind a firewall for one hour under my personal supervision. To set up RBAC you must have root privilige.In order to give an existing user the ability to sniff packets you need to define a profile and a role. There are several ways to do this. I am told that the easy way is to use Sun Management Console (SMC). What follows are the directions for doing this the old fashioned way.
Before you do anything else, make safe copies of the following files: /etc/user_attr, /etc/passwd, /etc/shadow, /etc/security/prof_attr, and /etc/security/exec_attr.
Now this is what you do in order to create a profile called Sniffers and a role called Snoopers with a directory /home/Snoopers:
Type
- roleadd -d /home/Snoopers -m Snoopers
- passwd Snoopers
Now add entries or verify that that are already there for the files specified in the following table:
File Name Entry /usr/etc/security/prof_attr Sniffers:::Allow packet sniffing: /usr/etc/security/exec_attr Sniffers:suser:cmd:::/usr/sbin/snoop:euid=0 /usr/etc/user_attr Snoopers::::type=role;profiles=Sniffers,All /usr/etc/user_attr student_user1::::type=normal;roles=Snoopers At the beginning of the time period during which students are to sniff packets announce the password. Students then type
- mkdir temp
- chmod 777 temp
- cd temp
- su Snoopers
- /usr/sbin/snoop > packet_file
At the end of the time period you can do various things to turn this off. Change the Snoopers password, comment out the line in /etc/security/exec_attr that allows then to run snoop, or any number of other things.
Definitely do this way ahead of time. It is tricky!