This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Need some security advice for systemtap


Frank Ch. Eigler wrote:
David Smith <dsmith@redhat.com> writes:

[...]
Solving both problems would look like this:

(A) A sysadmin would compile systemtap tap scripts into kernel modules
and store the module in something like
/etc/systemtap/authorized_modules/$kernel_version/foo.ko

The suggestion of using /lib/modules itself is a great one.

I'm OK with that. From later in your email it looks like you are shooting for /lib/modules/`uname -r`/systemtap, which seems reasonable.


>> [...]
(D) staprun.auth will need to disallow certain staprun.auth
command-line arguments, such as:
- "-c CMD" [...]
- "-O FILE" [...]

Actually, it doesn't. A setuid program can drop its privileges after performing the root-only operations (module loading), and invoke the rest of the normal commands as the real userid.

Hmm.



I was trying to duplicate as little of staprun as possible - just parse arguments, make sure the module is in the correct place, then exec staprun for all the real processing. I was trying to make staprun_auth a very thin wrapper around staprun.


With your idea I don't see a way around duplicating all of staprun (not actual code duplication, but compiling all of staprun into staprun_auth).

Perhaps there is a merged approach. Keep staprun_auth a thin wrapper around staprun, but change staprun to raise and lower privileges as needed when inserting/removing modules, setting up relayfs, etc.

--
David Smith
dsmith@redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]