Date: Wed, 4 Jun 2014 09:47:09 -0400 From: Mark Johnston <markj@freebsd.org> To: "Sevan / Venture37" <venture37@gmail.com> Cc: "freebsd-dtrace@freebsd.org" <freebsd-dtrace@freebsd.org> Subject: Re: Postgresql provider no longer working Message-ID: <CAMw1wOxA_CM40iaGHhO7taVMjy7n453V1u8V0ftKmxM3AbEyvg@mail.gmail.com> In-Reply-To: <CA%2BU3Mf5BYhwS6im-LHJz=%2Bn2X5REU=PoU29oCttv=%2BQqjA1LQA@mail.gmail.com> References: <CA%2BU3Mf7qPoB3=DgnG16JfmZK0Suu1W5TTHoBpc6Cb7Lru_Zn3w@mail.gmail.com> <CAMw1wOxtRmuFcW-V677EzRYKB=DHPd3oU25vmy4zuc_JZPa1hw@mail.gmail.com> <CA%2BU3Mf5BYhwS6im-LHJz=%2Bn2X5REU=PoU29oCttv=%2BQqjA1LQA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 4, 2014 at 6:35 AM, Sevan / Venture37 <venture37@gmail.com> wrote: > On 4 June 2014 02:45, Mark Johnston <markj@freebsd.org> wrote: >> Hi, >> >> I can't reproduce this using postgres 9.3.4 on r267033 (current). As >> usual, it was necessary to first kldload dtraceall and make sure >> postgres could access /dev/dtrace/helper (in my case I've added the >> pgsql user to the wheel group). It's also necessary to build with >> dtraceall loaded (otherwise dtrace -G will fail I think). With that, >> the probes show up as expected. >> >> Do other ports create probes successfully? lang/php5 has a DTrace >> option and manages to create probes when I run it. If it doesn't in >> your environment, could you try running it with the >> DTRACE_DOF_INIT_DEBUG environment variable set to "1" and pass along >> the output? >> >> Thanks, >> -Mark > > Hi Mark, > As previous, adjusting the permissions on /dev/dtrace/helper resolved the issue. > What threw me was that I did try PHP & netatalk before posting & the > probes for those two did appear. > Revisiting those again now I see that they have a master process which > runs as root hence not being locked out of access to > /dev/dtrace/helper. > > Moving forward, what's your opinion on the adition of a new system > group called dtrace, & the devfs rules > > own dtrace/helper root:dtrace > perm dtrace/helper 0660 > > Postgresql can be made a member of this group if it's installed with > dtrace support & things work from the start. > Happy to raise the patch, just running it past you as I'm unsure what > ideas there are for delegating access in the future. I think it would be simpler to just allow any process to register probes through /dev/dtrace/helper, with some limits on the number of probes that can be registered by a given process. I believe this is what illumos does. If for some reason this can't be done, then having a dtrace group would be a good alternative, but it's probably preferable to avoid implementing both solutions. However, before changing the default permissions I'd like the code (probe and DOF registration handlers specifically) to be audited by someone on the security team. -Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMw1wOxA_CM40iaGHhO7taVMjy7n453V1u8V0ftKmxM3AbEyvg>