Thanks for your fast reply! In our infrastructure the owners of the app can logging into the production VMs that are running their apps and execute a restricted list of command with sudo (e.g. tcpdump, netstat, ...). The idea is to give root access to each script of bcc tool (all within */usr/share/bcc/tools/**). We are concerned if there are some bcc scripts that can run another command like in the example above or if there are other security concerns to be aware of.
Best, *Cristian* *Spinetta* On Fri, Mar 13, 2020 at 1:23 PM Brendan Gregg <[email protected]> wrote: > On Fri, Mar 13, 2020 at 7:59 AM Cristian Spinetta <[email protected]> > wrote: > > > > Hi all! > > > > I am curious about whether it is safe to enable root access to BCC > scripts on production machines. > > In my company, each team has access to their instances via ssh, and we > are thinking to allow them to use bcc in production. For this purpose we > need to allow root access to any BCC tool. Do you think it would be safe? > for example, is there some tool that can receive a command to execute? in > that case it would be unsafe because someone could execute any command > thought a bcc tool. > > > > e.g.: > > sudo /usr/share/bcc/tools/some-great-tool.sh dd if=/dev/zero of=/dev/sda > bs=512 count=1 conv=notrunc > > ^^^^ > > sudo isn't safe. If you remove the BCC tool from this one-liner, > you'll find it still destroys your disk. > > In practice the production concern I have is for the overhead of each > tool, hence the overhead section in each tool's man page. > > Brendan > > > > > Best, > > Cristian Spinetta > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1825): https://lists.iovisor.org/g/iovisor-dev/message/1825 Mute This Topic: https://lists.iovisor.org/mt/71927692/21656 Group Owner: [email protected] Unsubscribe: https://lists.iovisor.org/g/iovisor-dev/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
