Tracing with DTrace, when custom probe provider is running as regular user
Matthew Seaman
matthew at FreeBSD.org
Mon Apr 9 10:30:26 UTC 2018
On 09/04/2018 11:01, Daniel Dettlaff wrote:
> Issue is critical for tracing Postgresql which demands to run with
> NON privileged user, but in general launching any server software as root
> should be considered to be "harmful" / "a bad idea" right?
The issue with allowing non-privileged users access to dtrace is the
risk of disclosing kernel memory. Unfortunately blocking this access
means that using the UserSDT's from (for example) postgresql-server
running as the postgres user is not permitted.
> So question is - is there a way to work around this? I wish to be
> able to trace user software as root using dtrace. Is there a way to
> do it? I build whole system from source so I can even do custom patch
> if I'd know where to look :)
Actually, it all depends on the permissions on /dev/dtrace/* -- It's
fairly easy to. say, add a 'dtrace' group, change /dev/dtrace/helper to
be owned by root:dtrace and mode 0770 by tweaking /etc/devfs.rules:
[userdtrace=10]
add path dtrace/helper mode 0660 group dtrace
and adding devfs_system_ruleset="userdtrace" to /etc/rc.conf, and then
making the postgres or whatever other users your software runs as
members of group dtrace
Cheers,
Matthew
More information about the freebsd-hackers
mailing list