A question came up today about how much it would be a security risk to give DBA''s pprivs to all of the DTrace layers (basic, dtrace_user, dtrace_proc). It is my understanding this is not much of a security risk and could not be detrimental to the system as a whole. I welcome comments about this. Paul Please contact me professionally at LinkedIn. _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/201469229/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20100303/d5bb5ed0/attachment.html>
Hi Paul, Is dtrace_kernel under consideration? It potentially allows some leaks by letting a user observe a significant chunk of the kernel''s state, but I know of no security holes from dtrace_user and dtrace_proc unless people share userids (which opens up all kinds of other problems anyway). Maybe an expert on the list can give a more definitive answer, though... everyone in my group at work has root access so dtrace_* privileges are moot from a security standpoint. Regards, Ryan On 3/4/2010 5:00 AM, Paul Anderson wrote:> A question came up today about how much it would be a security risk to > give DBA''s pprivs to all of the DTrace layers (basic, dtrace_user, > dtrace_proc). It is my understanding this is not much of a security > risk and could not be detrimental to the system as a whole. I welcome > comments about this. > > > Paul > > Please contact me professionally at LinkedIn. > Linkedin <http://www.linkedin.com/pub/paul-anderson/5/800/677> > > > ------------------------------------------------------------------------ > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up > now. <http://clk.atdmt.com/GBL/go/201469229/direct/01/> > > > _______________________________________________ > dtrace-discuss mailing list > dtrace-discuss at opensolaris.org-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20100304/ff10c303/attachment-0001.html>
Casper.Dik at Sun.COM
2010-Mar-04 09:23 UTC
[dtrace-discuss] DTrace security and user usage
>Hi Paul, > >Is dtrace_kernel under consideration? It potentially allows some leaks >by letting a user observe a significant chunk of the kernel''s state, but >I know of no security holes from dtrace_user and dtrace_proc unless >people share userids (which opens up all kinds of other problems anyway). > >Maybe an expert on the list can give a more definitive answer, though... >everyone in my group at work has root access so dtrace_* privileges are >moot from a security standpoint.dtrace_kernel allows you to read all input/output to ttys, including passwords. Casper