Date: Thu, 15 Jun 2017 11:45:28 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-dtrace@freebsd.org Subject: Creating a dtrace group? Message-ID: <2909a957-80a9-8f14-079f-972d18143747@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --TGPakD5oHjSQNQPgF5VI0ujmD38aLe4tj Content-Type: multipart/mixed; boundary="Ktr9p4jpPHAOEtf7S5bD8C6UJvGOCSVjd"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-dtrace@freebsd.org Message-ID: <2909a957-80a9-8f14-079f-972d18143747@FreeBSD.org> Subject: Creating a dtrace group? --Ktr9p4jpPHAOEtf7S5bD8C6UJvGOCSVjd Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable This is something that came up while I was flailing about trying to get dtrace working with postgresql during BSDCan. Many thanks to markj and swills and others for their help. By default the permissions/ownership on /dev/dtrace/helper look like this= : crw-rw---- 1 root wheel 0x5 Jun 3 11:42 helper In order to dtrace a userland application it needs read/write access to that device. Now, that's not the case for example with postgresql which switches to a non-root uid on startup. Most persistent daemon processes with network access will do this for obvious security reasons. The effect is that running 'dtrace -l -m postgres' shows no available probes. One solution is to create a new 'dtrace' unix group, which the userids those daemons run under can be added to, and make /dev/dtrace/helper owned by that group. Like so: # pw group add -n dtrace -g 141 -M postgres # cat /etc/devfs.rules [userdtrace=3D10] add path dtrace/helper mode 0660 group dtrace # sysrc devfs_system_ruleset=3D"userdtrace" (GID 141 is just the first available from /usr/ports/GIDs) This make /dev/dtrace/helper look like so: crw-rw---- 1 root dtrace 0x5 Jun 3 11:42 helper and the postgres user account: # id postgres uid=3D770(postgres) gid=3D770(postgres) groups=3D770(postgres),141(dtrace= ) Would it be possible to create a dtrace group like this in the default /etc/group and change the devfs settings so that /dev/dtrace/helper is group owned by the new dtrace by default? Preferably if this could go into the upcoming 11.1 and 10.4 releases? Making postgres and other UIDs used by daemon processes members of the dtrace group will have to be added to individual ports, but that's easy enough. Cheers, Matthew --Ktr9p4jpPHAOEtf7S5bD8C6UJvGOCSVjd-- --TGPakD5oHjSQNQPgF5VI0ujmD38aLe4tj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJZQmVQXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnvwEP/j5ofKAItK2yD50RQBrzjDc+ 2XUVZnf924ctEZDufw0XE0lgTiiNpKBvVI7KeZKcL5+sdHCMnEDprsjw/1MbbMkH OnqCqwwBbFp6kPAWu0oMuLi0OsAou6kQQwlTiDvDop1cFGWsx5MSbzqUdCCUrjl1 zbbOOljZN/N6ZFy6daMsY7t62Y07Iv1CVnEIHcK7QKJyCN7jqoUdHapTOZlwGRXV w5OPo5kdedr8KEizhYo7dz+9cAKUdx5farRNh8ETvDGt/EBUV62MFTgg3ogZ6vHM rupeH3/uCRrLoIakpa22dWQ8/7A5Is9FX+6P20/vjosWlDrsRSbn2N6tHcmpJB2B lm/gSFGJxvaTI4bNfd/GRnAjk/efuhCjS8L9kg3Pz0si0494i/E2bSRWRPGoSssD ZZaPbv22MXYEZQb3p6N6EcJmnPWUjnWTjmZ6lXa9jHkZJSJ8dnhcFt5qoNhvzzn9 0bhRfU/RdE0cTzwenhCQq1sIouXAYq+GWiwjIy7xnfHkEQ7yADknEgVTXFnfZIZv GjhX3UDwbpiyEnc+udoyLktmqyOKBd/8bK5Z1ugeFQo+tbqDpdPh6vrHERS1KiDV 2sa+kK0OVN8U1ErEij/kPmKHivdL14cxd88f7SpTzMyJrqrBY7oCH9w6t/yn32eS 8ku/kMULU9esywRZsOaY =K3C3 -----END PGP SIGNATURE----- --TGPakD5oHjSQNQPgF5VI0ujmD38aLe4tj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2909a957-80a9-8f14-079f-972d18143747>