dtrace discuss - May 2008 - how can we use libdtrace within the DTrace security restrictions?

Hi all,

What is the correct way to give one non-root user the ability to use 
DTrace with providers running in a process by another user?

Through the Web Stack project and some work by Ludovic Champenois and 
Nasser Nouri, we have done a bit of work to bring together parts of 
chime, the Web Stack Apache, Ruby and PHP providers, and stuff reused 
from the DTrace toolkit. It''s in it''s early days, but
we''d obviously
like to build on top of this. Since it uses chime, at the lowest levels 
it also uses the DTrace Java APIs and libdtrace.  However, we''ve had
one
challenge for which we''ve not yet found a solution.

All of the Web Stack components run as different users.  For example, 
Apache runs as webservd and mysql runs as mysql. 

In Web Stack, we have some scripts which set up a user profile and 
permissions to allow a regular user (i.e. the developer who is running 
this on their laptop) to manage the services, edit configuration files 
and deploy content.  Ideally, then the user would be able to 
transparently use the NetBeans IDE to develop/deploy content and use 
DTrace to observe what''s going on with their app.

We''ve tried giving the user the dtrace_proc, dtrace_kernel and 
dtrace_user privileges, but the user cannot see or use the providers in 
the process owned by another user.  Running by root or pfexec with 
Primary Admin profile works.  Is this by design?  Is there any good way 
to address this?  Running NetBeans as root is impractical for a variety 
of reasons.

Thanks in advance,

- Matt

-- 
Matt Ingenthron - Web Infrastructure Solutions Architect
Sun Microsystems, Inc. - Global Systems Practice
http://blogs.sun.com/mingenthron/
email: matt.ingenthron at sun.com             Phone: 310-242-6439

Hey Matt,
> We''ve tried giving the user the dtrace_proc, dtrace_kernel and
> dtrace_user privileges, but the user cannot see or use the providers  
> in
> the process owned by another user.  Running by root or pfexec with
> Primary Admin profile works.  Is this by design?  Is there any good  
> way
> to address this?  Running NetBeans as root is impractical for a  
> variety
> of reasons.

Take a look at the chapter on security:

   http://wikis.sun.com/display/DTrace/Security

In particular, check the note in the dtrace_proc section.

Adam

--
Adam Leventhal, Fishworks                        http://blogs.sun.com/ahl

Thanks much Adam! 

Adam Leventhal wrote:
>
> Take a look at the chapter on security:
>
>   http://wikis.sun.com/display/DTrace/Security
>
> In particular, check the note in the dtrace_proc section.
Sounds like that''ll solve what we need.  I did look in the docs, but 
must have missed this.

Thanks again,

- Matt

-- 
Matt Ingenthron - Web Infrastructure Solutions Architect
Sun Microsystems, Inc. - Global Systems Practice
http://blogs.sun.com/mingenthron/
email: matt.ingenthron at sun.com             Phone: 310-242-6439