From: David Smith <dsmith@redhat.com>
To: "Frank Ch. Eigler" <fche@redhat.com>
Cc: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>,
grundy <grundym@us.ibm.com>,
fedora-security-list@redhat.com,
Systemtap List <systemtap@sources.redhat.com>
Subject: Re: Need some security advice for systemtap
Date: Mon, 11 Jun 2007 22:00:00 -0000 [thread overview]
Message-ID: <466DC5FD.7090605@redhat.com> (raw)
In-Reply-To: <y0mps42p483.fsf@ton.toronto.redhat.com>
Frank Ch. Eigler wrote:
> David Smith <dsmith@redhat.com> writes:
>
>> [...]
>> Solving both problems would look like this:
>>
>> (A) A sysadmin would compile systemtap tap scripts into kernel modules
>> and store the module in something like
>> /etc/systemtap/authorized_modules/$kernel_version/foo.ko
>
> The suggestion of using /lib/modules itself is a great one.
I'm OK with that. From later in your email it looks like you are
shooting for /lib/modules/`uname -r`/systemtap, which seems reasonable.
>> [...]
>> (D) staprun.auth will need to disallow certain staprun.auth
>> command-line arguments, such as:
>> - "-c CMD" [...]
>> - "-O FILE" [...]
>
> Actually, it doesn't. A setuid program can drop its privileges after
> performing the root-only operations (module loading), and invoke the
> rest of the normal commands as the real userid.
Hmm.
I was trying to duplicate as little of staprun as possible - just parse
arguments, make sure the module is in the correct place, then exec
staprun for all the real processing. I was trying to make staprun_auth
a very thin wrapper around staprun.
With your idea I don't see a way around duplicating all of staprun (not
actual code duplication, but compiling all of staprun into staprun_auth).
Perhaps there is a merged approach. Keep staprun_auth a thin wrapper
around staprun, but change staprun to raise and lower privileges as
needed when inserting/removing modules, setting up relayfs, etc.
--
David Smith
dsmith@redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)
next prev parent reply other threads:[~2007-06-11 22:00 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-04 19:34 David Smith
2007-06-05 8:47 ` Tomasz Chmielewski
2007-06-05 15:09 ` Frank Ch. Eigler
2007-06-05 20:40 ` David Smith
2007-06-05 17:20 ` grundy
2007-06-05 20:56 ` David Smith
2007-06-08 22:00 ` Pavel Kankovsky
2007-06-11 13:09 ` David Smith
2007-06-11 18:35 ` David Smith
2007-06-11 21:32 ` Frank Ch. Eigler
2007-06-11 22:00 ` David Smith [this message]
2007-06-16 15:35 ` Pavel Kankovsky
2007-06-18 19:45 ` David Smith
2007-06-19 0:02 ` Martin Hunt
2007-06-19 19:57 ` David Smith
2007-06-19 20:42 ` Stone, Joshua I
2007-07-01 16:14 ` Pavel Kankovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=466DC5FD.7090605@redhat.com \
--to=dsmith@redhat.com \
--cc=fche@redhat.com \
--cc=fedora-security-list@redhat.com \
--cc=grundym@us.ibm.com \
--cc=peak@argo.troja.mff.cuni.cz \
--cc=systemtap@sources.redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).