## Background Currently to run user-space tracing programs requires running the process as `root`, but we can do a little bit better... By granting particular linux [capabilities](https://linux.die.net/man/7/capabilities), we can permit certain users (or files) to have additional capabilites without full root. ## Grant options There are two main options when it comes to granting capabilites: 1. Grant them to the user for all their actions 2. Grant them to a particular file. Note that option 2 doesn't work well with scripts, like *.py files. In this case we must grant them to the python binary directly. :::warning Avoid granting capabilities to system python binaries to minimise security impact. ::: ## Method Using the stricter of the options, file-based capabilities, we can grant the required capabilites to the file using the `setcap` tool: :::info [`man setcap`](https://man7.org/linux/man-pages/man8/setcap.8.html) ::: The tool can be used to add capabilities in the following way: ```bash sudo setcap 'cap_sys_admin=ep' file_name ``` Capabilities (all of them at once) can be removed with: ```bash sudo setcap -r file_name ``` Capabilites of a file can be checked with: ```bash getcap file_name ``` ### For python USDT scripts Because we are going to grant capabilities to a python binary, I would prefer to avoid granting them to the system python binary. To avoid this I have used a dedicated venv which I use with elevated permissions. This prevents the OS from using the more-capable python binary. Other methods of using an isolated python binary will work just the same. Linux tracing requires the `cap_sys_admin` capability, which means my required workflow is: ```bash $ sudo setcap 'cap_sys_admin=ep' /path/to/venv/bin/python3 $ getcap /path/to/venv/bin/python3 /path/to/venv/bin/python3 cap_sys_admin=ep ```