From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 19613 invoked by alias); 5 Nov 2009 20:41:01 -0000 Received: (qmail 19599 invoked by uid 22791); 5 Nov 2009 20:40:58 -0000 X-SWARE-Spam-Status: No, hits=-2.5 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Thu, 05 Nov 2009 20:40:52 +0000 Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nA5KepKZ029325 for ; Thu, 5 Nov 2009 15:40:51 -0500 Received: from dhcp-10-15-16-104.yyz.redhat.com (dhcp-10-15-16-107.yyz.redhat.com [10.15.16.107]) by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id nA5Keobq022761 for ; Thu, 5 Nov 2009 15:40:50 -0500 Message-ID: <4AF33852.8040805@redhat.com> Date: Thu, 05 Nov 2009 20:41:00 -0000 From: Dave Brolley User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: systemtap Subject: stap-server initscript now available Content-Type: multipart/mixed; boundary="------------000503080904050909040906" X-IsSubscribed: yes Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org X-SW-Source: 2009-q4/txt/msg00448.txt.bz2 This is a multi-part message in MIME format. --------------000503080904050909040906 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-length: 556 Hi, I've pushed the implementation of a stap-server initscript. It gets installed with the systemtap-server rpm. It should make management of systemtap servers a lot easier and this is critical to enabling unprivileged user support. There are some enhancements coming, but if you're not cross compiling, it's ready to use now. Please report problems concerns or ideas for improvement using PR 10905. I've attached a usage tutorial to this announcement. I hope that it is helpful. Also see initscript/README.stap-server for complete details. Dave --------------000503080904050909040906 Content-Type: text/plain; name="stap-server-initscript-usage.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="stap-server-initscript-usage.txt" Content-length: 6158 stap-server initscript Usage ============================ This document outlines o the basic use of the stap-server system service (initscript) o the corresponding use of the systemtap client (stap-client) for accessing the server o using the --unprivileged feature with the client/server for unprivileged users. Unprivileged users are users who are not root, and are not members of the groups stapdev or stapusr. The systemtap compile server provides a secure environment for verifying and compiling systemtap scripts for these users and provides a trusted signer for the resulting kernel module, allowing it to be verified by staprun on the client host. Requirements ------------ In order to use the stap-server service, the systemtap and systemtap-server packages must be installed. You must also have root access on the host on which the server will be run. In order to use stap-client, the systemtap-runtime and systemtap-client packages must be installed. You must also have root access on the host on stap-client will be used. Starting the stap-server Service -------------------------------- To start the stap-server service, as root, execute the following /sbin/service stap-server start You should see a message indicating that the server is starting, some information about the target that the server is for (should match the kernel release and architecture of the host) and a status of OK. To check that the server is indeed running, run /sbin/service stap-server status You should see a message indicating that the server is running with details about the target and the server's process id. You need not be root to run this command. Using the Server to Compile a Systemtap Script ---------------------------------------------- One purpose of the systemtap server is to provide a centralized environment for the compilation of systemtap scripts. For example, this would allow a system administrator to install kernel debuginfo packages on one host with a server running. Other users on the local network could then compile and run their scripts using stap-client on compatible hosts which do not have the debuginfo installed. Authorizing the Server as a Trusted Server ------------------------------------------ Before we can allow stap-client to attempt to load a module returned by a systemtap server, we need to assert that the server is an actual systemtap server and can be trusted to compile the script correctly. This is done by using an ssl connection verified by the server's certificate and public key. For servers started by the stap-server service, these can be found in the file /var/lib/stap-server/.systemtap/ssl/server/stap.cert on the host on which the server is running. In order to authorize this server as trusted, copy this file to some location on the client host (which may be the same host as the server host) and, as root, on the client host, run stap-authorize-server-cert All users on the client host may now use stap-client to access that server. To test this, as root, on the client host, run stap-client -e 'probe begin { printf ("Hello\n"); exit (); }' This should print Hello As any other user on the client host, run stap-client -e 'probe begin { printf ("Hello\n"); exit (); }' If this prints Hello then this user is a member of stapdev and is, therefore, a privileged user. Try running the command again as an unprivileged user. You should get a message indicating the you are an unprivileged user and that your module has not been\ signed by a trusted signer. Using the Server to Facilitate Use of systemtap by Unprivileged Users --------------------------------------------------------------------- The loading of modules created by systemtap is generally restricted to privileged users because of the wide scope of capabilities possible. However, a subset of systemtap's capabilities are benign to the system and would not allow users to gain access to normally restricted information. Certainly our "Hello" script falls into this subset. Systemtap provides an option (--unprivileged) which, when used by stap-client in conjunction with a trusted server allows these scripts to be compiled and run by unprivileged users. When specified on the invocation of stap-client, the --unprivileged option instructs the server to check that the features used by the script fall within the subset of "safe" features. If so, the server will compile the script and digitally sign the resulting module. Successfull verification of the signature by the client asserts that the script which produced the module was checked for safety by a trusted installation of systemtap (the server) and that the module has not been tampered with since it was signed. Authorizing the Server as a Trusted Signer ------------------------------------------ Verification of a module's signature requires the signer's certificate and public key. For servers started using the stap-server service, this is the same certificate and key which was used to verify the ssl connection between the client and server. In order to authorize this server as a trusted signer, copy this file to some location on the client host and, as root, on the client host, run stap-authorize-signing-cert An unprivileged user should now be able to compile and run a benign script using stap-client with --unprivileged specfied and this server. To test this, as an unprivileged user, on the client host, run stap-client -e 'probe begin { printf ("Hello\n"); exit (); }' --unprivileged This should print Hello Stopping the stap-server Service -------------------------------- To stop the stap-server service, as root, on the server host, execute the following /sbin/service stap-server stop You should see a message indicating that the server is stopping, some information about the target that the server is for (should match the kernel release and architecture of the server host) and a status of OK. To check that the server is indeed stopped /sbin/service stap-server status You should see a message indicating that no servers are running. You need not be root to run this command. --------------000503080904050909040906--