Topics

is BCC tools safe to enable root privilegies in production?

Cristian Spinetta
 

Hi all!

I am curious about whether it is safe to enable root access to BCC scripts on production machines.
In my company, each team has access to their instances via ssh, and we are thinking to allow them to use bcc in production. For this purpose we need to allow root access to any BCC tool. Do you think it would be safe? for example, is there some tool that can receive a command to execute? in that case it would be unsafe because someone could execute any command thought a bcc tool.

e.g.:
sudo /usr/share/bcc/tools/some-great-tool.sh dd if=/dev/zero of=/dev/sda bs=512 count=1 conv=notrunc

Best,
Cristian Spinetta

Brendan Gregg
 

On Fri, Mar 13, 2020 at 7:59 AM Cristian Spinetta <cebspinetta@...> wrote:

Hi all!

I am curious about whether it is safe to enable root access to BCC scripts on production machines.
In my company, each team has access to their instances via ssh, and we are thinking to allow them to use bcc in production. For this purpose we need to allow root access to any BCC tool. Do you think it would be safe? for example, is there some tool that can receive a command to execute? in that case it would be unsafe because someone could execute any command thought a bcc tool.

e.g.:
sudo /usr/share/bcc/tools/some-great-tool.sh dd if=/dev/zero of=/dev/sda bs=512 count=1 conv=notrunc
^^^^

sudo isn't safe. If you remove the BCC tool from this one-liner,
you'll find it still destroys your disk.

In practice the production concern I have is for the overhead of each
tool, hence the overhead section in each tool's man page.

Brendan


Best,
Cristian Spinetta

Cristian Spinetta
 

Thanks for your fast reply!

In our infrastructure the owners of the app can logging into the production VMs that are running their apps and execute a restricted list of command with sudo (e.g. tcpdump, netstat, ...). The idea is to give root access to each script of bcc tool (all within /usr/share/bcc/tools/*). We are concerned if there are some bcc scripts that can run another command like in the example above or if there are other security concerns to be aware of.

Best,
Cristian Spinetta


On Fri, Mar 13, 2020 at 1:23 PM Brendan Gregg <brendan.d.gregg@...> wrote:
On Fri, Mar 13, 2020 at 7:59 AM Cristian Spinetta <cebspinetta@...> wrote:
>
> Hi all!
>
> I am curious about whether it is safe to enable root access to BCC scripts on production machines.
> In my company, each team has access to their instances via ssh, and we are thinking to allow them to use bcc in production. For this purpose we need to allow root access to any BCC tool. Do you think it would be safe? for example, is there some tool that can receive a command to execute? in that case it would be unsafe because someone could execute any command thought a bcc tool.
>
> e.g.:
> sudo /usr/share/bcc/tools/some-great-tool.sh dd if=/dev/zero of=/dev/sda bs=512 count=1 conv=notrunc

^^^^

sudo isn't safe. If you remove the BCC tool from this one-liner,
you'll find it still destroys your disk.

In practice the production concern I have is for the overhead of each
tool, hence the overhead section in each tool's man page.

Brendan

>
> Best,
> Cristian Spinetta
>