Creating a dtrace group?

[Matthew Seaman]

This is something that came up while I was flailing about trying to get
dtrace working with postgresql during BSDCan.  Many thanks to markj and
swills and others for their help.

By default the permissions/ownership on /dev/dtrace/helper look like this:

crw-rw----   1 root  wheel  0x5 Jun  3 11:42 helper

In order to dtrace a userland application it needs  read/write access to
that device.  Now, that's not the case for example with postgresql which
switches to a non-root uid on startup.  Most persistent daemon processes
with network access will do this for obvious security reasons.

The effect is that running 'dtrace -l -m postgres' shows no available
probes.

One solution is to create a new 'dtrace' unix group, which the userids
those daemons run under can be added to, and make /dev/dtrace/helper
owned by that group.  Like so:

  # pw group add -n dtrace -g 141 -M postgres
  # cat /etc/devfs.rules
  [userdtrace=10]
  add path dtrace/helper mode 0660 group dtrace
  # sysrc devfs_system_ruleset="userdtrace"

(GID 141 is just the first available from /usr/ports/GIDs)  This make
/dev/dtrace/helper look like so:

crw-rw----   1 root  dtrace  0x5 Jun  3 11:42 helper

and the postgres user account:

# id postgres
uid=770(postgres) gid=770(postgres) groups=770(postgres),141(dtrace)

Would it be possible to create a dtrace group like this in the default
/etc/group and change the devfs settings so that /dev/dtrace/helper is
group owned by the new dtrace by default?  Preferably if this could go
into the upcoming 11.1 and 10.4 releases?

Making postgres and other UIDs used by daemon processes members of the
dtrace group will have to be added to individual ports, but that's easy
enough.

	Cheers,

	Matthew


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-dtrace/attachments/20170615/0a243e42/attachment.sig>