Giving a user privileges to run dtrace
Today I prepared for my presentation of DTrace. I met a problem that I can not run my D Script xs dtrace: failed to initialize dtrace: DTrace requires additional privileges. I undertand that I am not sysadmin in that system. What I hoped is my sysadmin can offer me some right to excute D Script files. Find this paper, useful! Thank you very much: http://blogs.sun.com/fintanr/date/20040629
Giving a user privileges to run dtrace
One of the litany of new features that has been added to Solaris 10 (which of course you can download via the Solaris Express program) is a new fine grained privilege model put in place by Casper Dik, (blog).
Privileges and all of its associated configuration is documented in the Security Services
section of the S10 System Administration Guide. Personally I like to
use privileges to allow me to use dtrace on my own stuff without having
to su to root every time, so heres how you set this up.
First off,
lets say I don't have any privileges to run dtrace, and I try to
execute it as myself on one of my own processes. In this case I want to
take a look at what one of my other shells is doing
$ ps -fU fintanr | sed -e "/$$/d" | grep ksh
UID PID PPID C STIME TTY TIME CMD
fintanr 8995 1310 0 12:19:06 pts/3 0:00 -ksh
fintanr 8969 1439 0 12:13:26 pts/11 0:00 -ksh
$ dtrace -n 'pid8995:libc.so.1::entry'
dtrace: failed to initialize dtrace: DTrace requires additional privileges
And so it fails. Now while this is nice and prevents people messing
around with dtrace, lets say your a sysadmin and you have provided an
Solaris Express box for your local developers to play with, but being a
sysadmin, you don't want to give them the root password so that they
can run dtrace (and being developers mess up your nicely configured
machine by changing every available setting as well). So in this case
the username is fintanr, so I run.
usermod -K defaultpriv=basic,dtrace_proc,dtrace_user fintanr
Which
will give me access to my own processes in userland. I could also add
in dtrace_kernel to these privileges as well. So now I fire up dtrace
on the same ksh process that I was looking at above.
$ /usr/sbin/dtrace -n 'pid8995:libc.so.1::entry'
dtrace: description 'pid8995:libc.so.1::entry' matched 2471 probes
dtrace: buffer size lowered to 2m
CPU ID FUNCTION:NAME
0 44225 lseek64:entry
0 43686 read:entry
0 43985 _save_nv_regs:entry
0 44119 _read:entry
..............Some useful guide you can find here: http://docs.sun.com/app/docs/doc/817-6223/chp-intro
That link is bad.
Posted by Dick Davies on October 17, 2007 at 06:45 AM PDT #
Could you please show me which link is bad?
Posted by 70.65.138.249 on October 17, 2007 at 11:41 AM PDT #
Sorry - the 'dtrace answerbook' link at the bottom of the article.
Posted by Dick Davies on October 17, 2007 at 11:43 AM PDT #
Sorry - I see what's going on now - you've pasted fintanrs article into this blog.
Posted by Dick Davies on October 17, 2007 at 11:46 AM PDT #
Hi Dick,
I just changed the link to the very first chapter of the guide, maybe you can get what you want. Yes, xs It's great article, so I pasted fintanrs into my blog.
Posted by Yunpu on October 17, 2007 at 11:56 AM PDT #