This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
David Smith <dsmith@redhat.com> writes:
[...] Solving both problems would look like this:
(A) A sysadmin would compile systemtap tap scripts into kernel modules and store the module in something like /etc/systemtap/authorized_modules/$kernel_version/foo.ko
The suggestion of using /lib/modules itself is a great one.
(D) staprun.auth will need to disallow certain staprun.auth command-line arguments, such as: - "-c CMD" [...] - "-O FILE" [...]
Actually, it doesn't. A setuid program can drop its privileges after performing the root-only operations (module loading), and invoke the rest of the normal commands as the real userid.
-- David Smith dsmith@redhat.com Red Hat http://www.redhat.com 256.217.0141 (direct) 256.837.0057 (fax)
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |