Closed niclashoyer closed 10 years ago
That's possible with sudo
.
Use visudo
to edit the sudo-config.
Add the line %sysdig ALL= path/to/sysdig
and save (path is most likely /usr/local/bin/sysdig
, note the space after =
).
Now the group sysdig
is allowed to use the sudo
command, but only for the specified binary.
As @timzimmermann said, sudo
is the way to go.
If you were to do it manually without sudo
, you would have to do a chgrp
/ chmod
to /dev/sysdig*
(passing the sysdig group), but libscap
will still need to traverse the entire /proc
file system to fetch the initial state of the processes in the system, so you will need to set some pretty large capabilities on the sysdig binary with setcap
, so you might as well just run it as root wrapped under sudo
.
So this should be ok, please feel free to add a wiki page to document these steps @timzimmermann , I'm sure it will be useful for other people!
Done, feel free to improve it.
Thanks a lot for doing this!
I just added a few more technical details.
Is it possible to run
sysdig
as a non-root user? Maybe grant everyone in thesysdig
group access?If not, why? Maybe this should be added to the documentation.