5

How do I enable users to use dtrace on Mac OS X. I am trying to do the equivalent of strace on Linux, and I don't like running applications with elevated privileges.

UPDATE

Ok, the best I can tell. The only way to keep a nefarious application from ruining the system by debugging it is to.

  1. Attach to the process in a separate console
  2. Use sudo twice

So that:

sudo dtruss sudo -u myusername potentially_harmful_app

I verified this with this short program:

#include <iostream>
#include <unistd.h>
int main()
{
  std::cout << "effective euid " << geteuid() << "\n";
}

See this discussion for more info:

http://discussions.apple.com/message.jspa?messageID=6430877

Juan
  • 245
  • 3
  • 8
  • Answered here - you basically sudo back to the user you want to use: http://stackoverflow.com/questions/3007868/how-can-get-dtrace-to-run-the-traced-command-with-non-root-priviledges – Martin Cleaver Apr 15 '15 at 16:54
  • doesn't seem to work anymore: `dtrace: failed to execute sudo: dtrace cannot control executables signed with restricted entitlements` – Jens Timmerman Jan 31 '17 at 15:32

3 Answers3

3

Please see my update above. This is a bad security hole if I've ever seen one. A proper implementation of dtruss should drop privileges of any program it invokes. Having several users on a system, one of them would be bound to mess this up and allow a badly written program to trash things.

Juan
  • 245
  • 3
  • 8
1

chmod 4755 dtrace as root

any time you run the program will run with root privileges

silviud
  • 2,677
  • 2
  • 16
  • 19
  • 1
    Does that mean that the application being run in dtrace will have elevated privileges? How would I enable an individual user, and not others? – Juan Dec 23 '10 at 00:29
1

You can't have both. dtrace requires root privileges to talk to the kernel, so it either has to run with root privs (setuid) or by root.

Brian Topping
  • 145
  • 8
  • So I have to trust that the application I am running through dtruss(dtrace) isn't going to harm my system? – Juan Dec 23 '10 at 01:19
  • How many users do you have on this box (is it os-x server or something?) and why are they running dtrace at all? Anyway, if any of these responses answered your question, please reciprocate by voting appropriately. :-) thanks – Brian Topping Dec 23 '10 at 02:16
  • 1
    See my update in the question area. If I am trying to dtruss an application, I have to take unreasonable extra steps to make sure that the application I am trying to debug doesn't harm the system. I filed a ticket with the Apple security team about dtruss needing to drop privileges before executing a program. – Juan Dec 23 '10 at 17:41