From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id D63153858D28; Fri, 7 Apr 2023 01:18:34 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D63153858D28 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1680830314; bh=K4HT0vpce07HRf1ChjuzW/6UhKeRs+FKTZHQ+GSSchM=; h=From:To:Subject:Date:From; b=BEiiq6jiDnufxAJ4h3SVpnUh8JV8dy3giLL8SPPSjmOHVwk0i4Ux4VB7gq6g+UK2I b5UDFyu5xanFlyxF1wPYaNt99tjsDzUWkZt5Wd8bWoGnSWzaeh1KL9zjhTu9AaDVjD afyK8/X0TeAYY4NrafJa72vHzx3MHDNxNMIN7CE4= From: "fche at redhat dot com" To: systemtap@sourceware.org Subject: [Bug translator/30321] New: apply privilege separation for passes 2/3/4, esp. if invoked as root Date: Fri, 07 Apr 2023 01:18:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: systemtap X-Bugzilla-Component: translator X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fche at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: systemtap at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30321 Bug ID: 30321 Summary: apply privilege separation for passes 2/3/4, esp. if invoked as root Product: systemtap Version: unspecified Status: NEW Severity: normal Priority: P2 Component: translator Assignee: systemtap at sourceware dot org Reporter: fche at redhat dot com Target Milestone: --- systemtap's pass 2 (and a bit of pass 3 - the -d option) involves processing elf/dwarf files via elfutils. While these files tend to be trusted & trustworthy, it may be comforting from a security perspective if systemtap attempts to shed privileges while dealing with them. Similarly, invoking t= he subordinate compilers should be done with a reduced privilege if possible. Some complications: - pass 2 may well involve elfutils-triggered debuginfod downloads, ergo client cache writes - pass 3 may want to read /proc/kallsyms, which the kernel may obfuscate unless read as root - filesystem permissions for the target binaries may require root to open (but not to process) - pass 5 will generally require full privileges, so simply dropping privs early altogether is not possible The smallest practical step that may give some incremental protection could be to add some setreuid(2) calls to temporarily swap between root and an unprivileged uid around certain processing steps. --=20 You are receiving this mail because: You are the assignee for the bug.=