From: fche@redhat.com (Frank Ch. Eigler)
To: David Smith <dsmith@redhat.com>
Cc: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>,
grundy <grundym@us.ibm.com>,
fedora-security-list@redhat.com,
Systemtap List <systemtap@sources.redhat.com>
Subject: Re: Need some security advice for systemtap
Date: Mon, 11 Jun 2007 21:32:00 -0000 [thread overview]
Message-ID: <y0mps42p483.fsf@ton.toronto.redhat.com> (raw)
In-Reply-To: <466D95D4.2090903@redhat.com>
David Smith <dsmith@redhat.com> writes:
> [...]
> Solving both problems would look like this:
>
> (A) A sysadmin would compile systemtap tap scripts into kernel modules
> and store the module in something like
> /etc/systemtap/authorized_modules/$kernel_version/foo.ko
The suggestion of using /lib/modules itself is a great one.
> (B) The sysadmin would add anyone needing to be able to run those
> modules to the new 'systemtap' group.
Good idea.
> (C) We'll have a new program, staprun.auth, which would be owned by
> root, group systemtap, and file permission would be 04110. Here's
> what a 'ls -l' would look like on it:
>
> ---s--x--- 1 root systemtap {size} {date} /usr/bin/staprun.auth
OK.
> [...]
> (D) staprun.auth will need to disallow certain staprun.auth
> command-line arguments, such as:
> - "-c CMD" [...]
> - "-O FILE" [...]
Actually, it doesn't. A setuid program can drop its privileges after
performing the root-only operations (module loading), and invoke the
rest of the normal commands as the real userid.
> [...]
> $ staprun.auth stap_foo.ko
> (staprun.auth will make sure /etc/systemtap/authorized_modules/`uname
> -r`/stap_foo.ko exists, then exec staprun with that module)
> [...]
It would be better to have staprun.auth perform the module loading and
setup parts of current staprun, and defer the unprivileged work to
ordinary staprun.
Now, if only we could automate the sudo vs. setuid mechanisms...
Maybe even SYSTEMTAP_DIR=/lib/modules/`uname -r`/systemtap?
- FChE
next prev parent reply other threads:[~2007-06-11 21:32 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-04 19:34 David Smith
2007-06-05 8:47 ` Tomasz Chmielewski
2007-06-05 15:09 ` Frank Ch. Eigler
2007-06-05 20:40 ` David Smith
2007-06-05 17:20 ` grundy
2007-06-05 20:56 ` David Smith
2007-06-08 22:00 ` Pavel Kankovsky
2007-06-11 13:09 ` David Smith
2007-06-11 18:35 ` David Smith
2007-06-11 21:32 ` Frank Ch. Eigler [this message]
2007-06-11 22:00 ` David Smith
2007-06-16 15:35 ` Pavel Kankovsky
2007-06-18 19:45 ` David Smith
2007-06-19 0:02 ` Martin Hunt
2007-06-19 19:57 ` David Smith
2007-06-19 20:42 ` Stone, Joshua I
2007-07-01 16:14 ` Pavel Kankovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=y0mps42p483.fsf@ton.toronto.redhat.com \
--to=fche@redhat.com \
--cc=dsmith@redhat.com \
--cc=fedora-security-list@redhat.com \
--cc=grundym@us.ibm.com \
--cc=peak@argo.troja.mff.cuni.cz \
--cc=systemtap@sources.redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).