This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Systemtap Client/server Certificate Management and Usage Improvements

From: Eugeniy Meshcheryakov <eugen at debian dot org>
To: Dave Brolley <brolley at redhat dot com>
Cc: SystemTAP <systemtap at sources dot redhat dot com>
Date: Tue, 13 Jan 2009 21:46:36 +0100
Subject: Re: Systemtap Client/server Certificate Management and Usage Improvements
References: <496CE035.10103@redhat.com>

Hello,

13 ÑÑÑÐÑ 2009 Ð 13:40 -0500 Dave Brolley ÐÐÐÐÑÐÐ(-ÐÐ):
> 1) Client/server certificate databases are no longer generated at build  
> time and are no longer installed
It will be good to have empty config directories that can be used by
client/server installed.

> Usage Goals
> -----------
> 1) Any user can run stap from phase 1 through 4 inclusive (-p1 through -p4), so
>    any user should be able to interface with a trusted systemtap server for
>    requests limited to these phases. The server need not be compatible with
>    the platform of the client.
This can be a problem for the server. At least DoS attack is possible.

> 
> 2) Currently, only privileged users (root or a member of stapdev or stapusr) can
>    load a systemtap module (phase 5). The module must have been generated by
>    stap on the local host or on a compatible host. Similarly, privileged users
>    should be able to interface with a trusted and compatible systemtap server
>     and load the resulting module.
Members of stapusr should not be able to run generated modules IMHO.

> 
> 3) In the future (or already?), unprivileged users will be able to load modules
>    probing user-space code and, similarly, unprivileged users should then be
>    able to interface with a trusted and compatible systemtap server and load the
>    resulting module.
Hmm, I'd not allow unpriviledged users to load any kernel modules... At least not
without a lot of checks on server side.

> 
> 4) In the future, unprivileged users should be able to load a module generated
>    by servers "blessed" by privileged users. This will be a separate level of
>    authority similar to membership in the groups stapdev or stapusr.
Does that mean allowing any user to load kernel modules? Or creating one more group
like stapdev but without posibility to compile localy and run compile servers? Will
server do any additional check for probe files from such users?

> 2) a database local to the user starting the server.
> 
>    For unprivileged users, the database is in the directory
> 
>      /home/<user>/.systemtap/ssl/server
I hope you meant $(HOME)/.systemtap/ssl/server here...

> 
>    For root (EUID=0) users, the database is in the directory
> 
>      $(prefix)/etc/systemtap/ssl/server
... and $(sysconfdir)/systemtap/ssl/server here.

> 
>    where $(prefix) is the prefix used to install systemtap.
> 

And the same here:
>    For unprivileged users, the database is in the directory
> 
>      /home/<user>/.systemtap/ssl/client
> 
>    For root (EUID=0) users, the database is in the directory
> 
>      $(prefix)/etc/systemtap/ssl/client
> 
>    where $(prefix) is the prefix used to install systemtap.

Regards,
Eugeniy Meshcheryakov

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: Systemtap Client/server Certificate Management and Usage Improvements
  - From: Dave Brolley

References:
- Systemtap Client/server Certificate Management and Usage Improvements
  - From: Dave Brolley

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]