Brian Kolaci wrote: > Hi, > > A customer would like to run DTrace on some production boxes > however they need a way to prove that no destructive actions > can be taken, not even by accident. This "proof" is required > before they can do anything on the production boxes. > > Is there an executable or possibly an RBAC controllable > action that can be done to strip the "-w" functionality from > the DTrace executable? Or possibly strip some privileges that > won't allow DTrace to do anything destructive? > > Thanks, > > Brian > _______________________________________________ > dtrace-discuss mailing list > dtrace-discuss@opensolaris.org > According to the manual, if you give all of the dtrace privs to a normal user, that user can access everything except destructive actions, which is still reserved for the super user. As such a user a ran a script that did a "chip(10)", and got the following error:
dtrace: error on enabled probe ID 3 (ID 13: syscall::read:return): invalid kernel access in action #2 Chip _______________________________________________ dtrace-discuss mailing list dtrace-discuss@opensolaris.org
