Date: Mon, 9 Apr 2018 11:30:10 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-hackers@freebsd.org Subject: Re: Tracing with DTrace, when custom probe provider is running as regular user Message-ID: <d3c85d69-b5ee-4ae5-9e1e-3ce6ca47618c@FreeBSD.org> In-Reply-To: <1D449DD6-4D38-4561-8BD0-B6E581AB53A8@gmail.com> References: <B7FD6BB4-D74A-4C7F-8C9A-487A25FFCA43@gmail.com> <1D449DD6-4D38-4561-8BD0-B6E581AB53A8@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/04/2018 11:01, Daniel Dettlaff wrote: > Issue is critical for tracing Postgresql which demands to run with > NON privileged user, but in general launching any server software as root > should be considered to be "harmful" / "a bad idea" right? The issue with allowing non-privileged users access to dtrace is the risk of disclosing kernel memory. Unfortunately blocking this access means that using the UserSDT's from (for example) postgresql-server running as the postgres user is not permitted. > So question is - is there a way to work around this? I wish to be > able to trace user software as root using dtrace. Is there a way to > do it? I build whole system from source so I can even do custom patch > if I'd know where to look :) Actually, it all depends on the permissions on /dev/dtrace/* -- It's fairly easy to. say, add a 'dtrace' group, change /dev/dtrace/helper to be owned by root:dtrace and mode 0770 by tweaking /etc/devfs.rules: [userdtrace=10] add path dtrace/helper mode 0660 group dtrace and adding devfs_system_ruleset="userdtrace" to /etc/rc.conf, and then making the postgres or whatever other users your software runs as members of group dtrace Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d3c85d69-b5ee-4ae5-9e1e-3ce6ca47618c>