Tuesday Oct 16, 2007

DTrace with non-root user



DTrace requires root privileges to run. DTrace is non-destructive i.e., you can't do any harm to the system or process that you are tracing. Letting normal users to run DTrace can be a security issue as that user can get any information on the system or of another user, including passwords.

If you are using a laptop or a personal desktop, then enabling DTrace for yourself could be very helpful. Especially if you are developing and debugging an application. This can done by a simple command:

# usermod -K defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel <login_id>

This command has to be run as root. It updates the /etc/user_attr file with the privileges given here. By default, a normal user only has the basic privilege. But this is not mentioned in the /etc/user_attr file. If any additional privileges are added, then only these privileges will be applicable. Thats why the basic privilege is a must when adding additional privileges. Otherwise the user will not be able to login next time. Note that the user may have to logout and login again for the privileges to take effect.

To know more about what each privilege allows you to do, run:

# ppriv -lv dtrace_proc,dtrace_user,dtrace_kernel

Try the same with basic privilege as well.

To remove the privileges don't give any option to defaultpriv in the above command.



About

jkini

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today