Re: is BCC tools safe to enable root privilegies in production?


Brendan Gregg
 

On Fri, Mar 13, 2020 at 7:59 AM Cristian Spinetta <cebspinetta@...> wrote:

Hi all!

I am curious about whether it is safe to enable root access to BCC scripts on production machines.
In my company, each team has access to their instances via ssh, and we are thinking to allow them to use bcc in production. For this purpose we need to allow root access to any BCC tool. Do you think it would be safe? for example, is there some tool that can receive a command to execute? in that case it would be unsafe because someone could execute any command thought a bcc tool.

e.g.:
sudo /usr/share/bcc/tools/some-great-tool.sh dd if=/dev/zero of=/dev/sda bs=512 count=1 conv=notrunc
^^^^

sudo isn't safe. If you remove the BCC tool from this one-liner,
you'll find it still destroys your disk.

In practice the production concern I have is for the overhead of each
tool, hence the overhead section in each tool's man page.

Brendan


Best,
Cristian Spinetta

Join iovisor-dev@lists.iovisor.org to automatically receive all group messages.