Try   HackMD

Background

Currently to run user-space tracing programs requires running the process as root, but we can do a little bit better

By granting particular linux capabilities, we can permit certain users (or files) to have additional capabilites without full root.

Grant options

There are two main options when it comes to granting capabilites:

  1. Grant them to the user for all their actions
  2. Grant them to a particular file.

Note that option 2 doesn't work well with scripts, like *.py files. In this case we must grant them to the python binary directly.

Avoid granting capabilities to system python binaries to minimise security impact.

Method

Using the stricter of the options, file-based capabilities, we can grant the required capabilites to the file using the setcap tool:

The tool can be used to add capabilities in the following way:

sudo setcap 'cap_sys_admin=ep' file_name

Capabilities (all of them at once) can be removed with:

sudo setcap -r file_name

Capabilites of a file can be checked with:

getcap file_name

For python USDT scripts

Because we are going to grant capabilities to a python binary, I would prefer to avoid granting them to the system python binary.

To avoid this I have used a dedicated venv which I use with elevated permissions. This prevents the OS from using the more-capable python binary.

Other methods of using an isolated python binary will work just the same.

Linux tracing requires the cap_sys_admin capability, which means my required workflow is:

$ sudo setcap 'cap_sys_admin=ep' /path/to/venv/bin/python3
$ getcap /path/to/venv/bin/python3
/path/to/venv/bin/python3 cap_sys_admin=ep