[lttng-dev] one sessiond for multiuser system

Jérémie Galarneau jeremie.galarneau at efficios.com
Mon Aug 12 16:11:26 EDT 2013 

On Mon, Aug 12, 2013 at 9:23 AM, Thibault, Daniel
<Daniel.Thibault at drdc-rddc.gc.ca> wrote:
> ----------------------------------------------------------------------
> Message: 5
> Date: Fri, 9 Aug 2013 10:54:49 -0400
> From: J?r?mie Galarneau <jeremie.galarneau at efficios.com>
>
>> On Fri, Aug 9, 2013 at 4:01 AM, Stanislav Vovk <stanislav.vovk at ericsson.com> wrote:
>> > In my system there are two users, root and Bob. I am starting sessiond at boot as root user. And instrumented programs are started as either root or Bob. I am logged in to the system and controlling lttng as root user.
>> > - When executing "lttng list -u" I see events registered by programs started as root. I don't see events from programs started as Bob. Why? Did I forget something?
>> > - Now I switch user to Bob in the shell. Executing "lttng list -u" does not give any output at all, instead a new sessiond is started. How can I have one sessiond for the whole system?
>>
>> A non-privileged user can only interact with a root session daemon if he is part of the "tracing" group. Is it the case for "Bob" in this example?
>>
>> Reproducing your scenario here with "Bob" being part of the tracing group:
>> - Root can list its own sessions as well as Bob's
>> - Bob's user space events can also be seen by root
>> - Bob can't see the sessions created by root.
>
>    Actually, a non-root user can also access the root daemon if he has sudo privileges.
>
>    The root daemon will see the various user-space events, but it will *not* list the user sessions: the various lttng-sessiond daemons do not talk to each other.  (This may become possible with a later version of lttng)
>
>    To funnel all tracing through the root daemon, make sure any user lttng-sessiond daemons are killed and only the root lttng-sessiond daemon is running, then either make your users members of the 'tracing' group, or systematically use 'sudo lttng ...' or 'sudo -H lttng ...' from the user shells.  The first form will put the trace outputs in each user's ~/lttng-traces, the second form will combine all trace outputs in /root/lttng-traces.  You may need to chmod the resulting folders and files if you want to later access them as non-root.
>

Keep in mind that in this scenario, setting up your traces as root
(using sudo) will still not let users that are not part of the
'tracing' group trace their applications as no interactions with the
session daemon are allowed; that includes application registration.

Getting around that would require that your users also launch the
applications themselves as root (using sudo) which is an unnecessary
security risk.

> Daniel U. Thibault
> Protection des systèmes et contremesures (PSC) | Systems Protection & Countermeasures (SPC)
> Cyber sécurité pour les missions essentielles (CME) | Mission Critical Cyber Security (MCCS)
> R & D pour la défense Canada - Valcartier (RDDC Valcartier) | Defence R&D Canada - Valcartier (DRDC Valcartier)
> 2459 route de la Bravoure
> Québec QC  G3J 1X5
> CANADA
> Vox : (418) 844-4000 x4245
> Fax : (418) 844-4538
> NAC : 918V QSDJ <http://www.travelgis.com/map.asp?addr=918V%20QSDJ>
> Gouvernement du Canada | Government of Canada
> <http://www.valcartier.drdc-rddc.gc.ca/>



-- 
Jérémie Galarneau
EfficiOS Inc.
http://www.efficios.com

More information about the lttng-dev mailing list