This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
[Bug runtime/6903] scripts can be run by non-sudo and non-stapdev users
- From: "dsmith at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: systemtap at sources dot redhat dot com
- Date: 18 Sep 2008 21:26:15 -0000
- Subject: [Bug runtime/6903] scripts can be run by non-sudo and non-stapdev users
- References: <20080918151227.6903.scox@redhat.com>
- Reply-to: sourceware-bugzilla at sourceware dot org
------- Additional Comments From dsmith at redhat dot com 2008-09-18 21:26 -------
Originally, staprun.c:main() called cap.c:init_cap(), which did the following:
void init_cap(void)
{
uid_t uid = getuid();
gid_t gid = getgid();
...
if (setresuid(uid, uid, uid) < 0)
ferror("setresuid");
if (setresgid(gid, gid, gid) < 0)
ferror("setresgid");
}
Which basically set the effective and saved user/group ids to the real
user/group id.
Then, staprun.c:main() called staprun_funcs.c:check_permissions()
int check_permissions(void)
{
/* If we're root, we can do anything. */
if (geteuid() == 0)
return 1;
...
}
Without the code in init_cap(), the euid of staprun is always 0, since staprun
is setuid 0. Changing that 'geteuid()' call to 'getuid()' seems to fix the problem.
Fixed in commit 0387bde.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
http://sourceware.org/bugzilla/show_bug.cgi?id=6903
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.