iovisor-dev@lists.iovisor.org | is BCC tools safe to enable root privilegies in production?

Home Messages Hashtags Subgroups

This group is locked. No changes can be made to the group while it is locked.

Date Date 1 - 3 of 3

is BCC tools safe to enable root privilegies in production?

Cristian Spinetta #1823 Hi all! I am curious about whether it is safe to enable root access to BCC scripts on production machines. In my company, each team has access to their instances via ssh, and we are thinking to allow them to use bcc in production. For this purpose we need to allow root access to any BCC tool. Do you think it would be safe? for example, is there some tool that can receive a command to execute? in that case it would be unsafe because someone could execute any command thought a bcc tool. e.g.: sudo /usr/share/bcc/tools/some-great-tool.sh dd if=/dev/zero of=/dev/sda bs=512 count=1 conv=notrunc Best, Cristian Spinetta
Brendan Gregg #1824 On Fri, Mar 13, 2020 at 7:59 AM Cristian Spinetta <cebspinetta@...> wrote: Hi all! I am curious about whether it is safe to enable root access to BCC scripts on production machines. In my company, each team has access to their instances via ssh, and we are thinking to allow them to use bcc in production. For this purpose we need to allow root access to any BCC tool. Do you think it would be safe? for example, is there some tool that can receive a command to execute? in that case it would be unsafe because someone could execute any command thought a bcc tool. e.g.: sudo /usr/share/bcc/tools/some-great-tool.sh dd if=/dev/zero of=/dev/sda bs=512 count=1 conv=notrunc ^^^^ sudo isn't safe. If you remove the BCC tool from this one-liner, you'll find it still destroys your disk. In practice the production concern I have is for the overhead of each tool, hence the overhead section in each tool's man page. Brendan Best, Cristian Spinetta
Cristian Spinetta #1825 Thanks for your fast reply! In our infrastructure the owners of the app can logging into the production VMs that are running their apps and execute a restricted list of command with sudo (e.g. tcpdump, netstat, ...). The idea is to give root access to each script of bcc tool (all within /usr/share/bcc/tools/). We are concerned if there are some bcc scripts that can run another command like in the example above or if there are other security concerns to be aware of. Best, Cristian* Spinetta toggle quoted message Show quoted text On Fri, Mar 13, 2020 at 1:23 PM Brendan Gregg <brendan.d.gregg@...> wrote: On Fri, Mar 13, 2020 at 7:59 AM Cristian Spinetta <cebspinetta@...> wrote: > > Hi all! > > I am curious about whether it is safe to enable root access to BCC scripts on production machines. > In my company, each team has access to their instances via ssh, and we are thinking to allow them to use bcc in production. For this purpose we need to allow root access to any BCC tool. Do you think it would be safe? for example, is there some tool that can receive a command to execute? in that case it would be unsafe because someone could execute any command thought a bcc tool. > > e.g.: > sudo /usr/share/bcc/tools/some-great-tool.sh dd if=/dev/zero of=/dev/sda bs=512 count=1 conv=notrunc ^^^^ sudo isn't safe. If you remove the BCC tool from this one-liner, you'll find it still destroys your disk. In practice the production concern I have is for the overhead of each tool, hence the overhead section in each tool's man page. Brendan > > Best, > Cristian Spinetta >

1 - 3 of 3

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms