[lttng-dev] one sessiond for multiuser system
Jérémie Galarneau
jeremie.galarneau at efficios.com
Mon Aug 12 18:47:39 EDT 2013
On Mon, Aug 12, 2013 at 4:23 PM, Thibault, Daniel
<Daniel.Thibault at drdc-rddc.gc.ca> wrote:
> -----Message d'origine-----
> Envoyé : 12 août 2013 16:11
>
> On Mon, Aug 12, 2013 at 9:23 AM, Thibault, Daniel <Daniel.Thibault at drdc-rddc.gc.ca> wrote:
>> ----------------------------------------------------------------------
>> Actually, a non-root user can also access the root daemon if he has sudo privileges.
>>
>> The root daemon will see the various user-space events, but it will
>> *not* list the user sessions: the various lttng-sessiond daemons do
>> not talk to each other. (This may become possible with a later
>> version of lttng)
>>
>> To funnel all tracing through the root daemon, make sure any user lttng-sessiond daemons are killed and only the root lttng-sessiond daemon is running, then either make your users members of the 'tracing' group, or systematically use 'sudo lttng ...' or 'sudo -H lttng ...' from the user shells. The first form will put the trace outputs in each user's ~/lttng-traces, the second form will combine all trace outputs in /root/lttng-traces. You may need to chmod the resulting folders and files if you want to later access them as non-root.
>
> Keep in mind that in this scenario, setting up your traces as root (using sudo) will still not let users that are not part of the 'tracing' group trace their applications as no interactions with the session daemon are allowed; that includes application registration.
>
> Getting around that would require that your users also launch the applications themselves as root (using sudo) which is an unnecessary security risk.
>
> Jérémie Galarneau
> EfficiOS Inc.
> -----Fin du message d'origine-----
>
> I'm not sure I understand what you're getting at when you say "setting up your traces as root (using sudo) will still not let users that are not part of the 'tracing' group trace their applications as no interactions with the session daemon are allowed; that includes application registration." Users that are not part of the 'tracing' group need take no special action to get their apps traced: the root session daemon sees all user-spaces.
You're right. There seems to be an unrelated problem on my system. So,
to clarify:
- A root session daemon can only be controlled (e.g. create and modify
sessions) by root and members of the tracing group.
- Applications do not need to run as a member of the tracing group to be traced.
Jérémie
>
> Daniel U. Thibault
> Protection des systèmes et contremesures (PSC) | Systems Protection & Countermeasures (SPC)
> Cyber sécurité pour les missions essentielles (CME) | Mission Critical Cyber Security (MCCS)
> R & D pour la défense Canada - Valcartier (RDDC Valcartier) | Defence R&D Canada - Valcartier (DRDC Valcartier)
> 2459 route de la Bravoure
> Québec QC G3J 1X5
> CANADA
> Vox : (418) 844-4000 x4245
> Fax : (418) 844-4538
> NAC : 918V QSDJ <http://www.travelgis.com/map.asp?addr=918V%20QSDJ>
> Gouvernement du Canada | Government of Canada
> <http://www.valcartier.drdc-rddc.gc.ca/>
--
Jérémie Galarneau
EfficiOS Inc.
http://www.efficios.com
More information about the lttng-dev
mailing list