Currently to run user-space tracing programs requires running the process as root
, but we can do a little bit better…
By granting particular linux capabilities, we can permit certain users (or files) to have additional capabilites without full root.
There are two main options when it comes to granting capabilites:
Note that option 2 doesn't work well with scripts, like *.py files. In this case we must grant them to the python binary directly.
Avoid granting capabilities to system python binaries to minimise security impact.
Using the stricter of the options, file-based capabilities, we can grant the required capabilites to the file using the setcap
tool:
The tool can be used to add capabilities in the following way:
sudo setcap 'cap_sys_admin=ep' file_name
Capabilities (all of them at once) can be removed with:
sudo setcap -r file_name
Capabilites of a file can be checked with:
getcap file_name
Because we are going to grant capabilities to a python binary, I would prefer to avoid granting them to the system python binary.
To avoid this I have used a dedicated venv which I use with elevated permissions. This prevents the OS from using the more-capable python binary.
Other methods of using an isolated python binary will work just the same.
Linux tracing requires the cap_sys_admin
capability, which means my required workflow is:
$ sudo setcap 'cap_sys_admin=ep' /path/to/venv/bin/python3
$ getcap /path/to/venv/bin/python3
/path/to/venv/bin/python3 cap_sys_admin=ep