From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id D63153858D28; Fri,  7 Apr 2023 01:18:34 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D63153858D28
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1680830314;
	bh=K4HT0vpce07HRf1ChjuzW/6UhKeRs+FKTZHQ+GSSchM=;
	h=From:To:Subject:Date:From;
	b=BEiiq6jiDnufxAJ4h3SVpnUh8JV8dy3giLL8SPPSjmOHVwk0i4Ux4VB7gq6g+UK2I
	 b5UDFyu5xanFlyxF1wPYaNt99tjsDzUWkZt5Wd8bWoGnSWzaeh1KL9zjhTu9AaDVjD
	 afyK8/X0TeAYY4NrafJa72vHzx3MHDNxNMIN7CE4=
From: "fche at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: systemtap@sourceware.org
Subject: [Bug translator/30321] New: apply privilege separation for passes
 2/3/4, esp. if invoked as root
Date: Fri, 07 Apr 2023 01:18:34 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: systemtap
X-Bugzilla-Component: translator
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fche at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: systemtap at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-30321-6586@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <systemtap.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D30321

            Bug ID: 30321
           Summary: apply privilege separation for passes 2/3/4, esp. if
                    invoked as root
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: translator
          Assignee: systemtap at sourceware dot org
          Reporter: fche at redhat dot com
  Target Milestone: ---

systemtap's pass 2 (and a bit of pass 3 - the -d option) involves processing
elf/dwarf files via elfutils.  While these files tend to be trusted &
trustworthy, it may be comforting from a security perspective if systemtap
attempts to shed privileges while dealing with them.  Similarly, invoking t=
he
subordinate compilers should be done with a reduced privilege if possible.

Some complications:

- pass 2 may well involve elfutils-triggered debuginfod downloads,
  ergo client cache writes

- pass 3 may want to read /proc/kallsyms, which the kernel may obfuscate
  unless read as root

- filesystem permissions for the target binaries may require root to open
  (but not to process)

- pass 5 will generally require full privileges, so simply dropping privs
  early altogether is not possible


The smallest practical step that may give some incremental protection
could be to add some setreuid(2) calls to temporarily swap between root
and an unprivileged uid around certain processing steps.

--=20
You are receiving this mail because:
You are the assignee for the bug.=