Need some security advice for systemtap
David Smith
dsmith at redhat.com
Mon Jun 11 22:00:29 UTC 2007
Frank Ch. Eigler wrote:
> David Smith <dsmith at redhat.com> writes:
>
>> [...]
>> Solving both problems would look like this:
>>
>> (A) A sysadmin would compile systemtap tap scripts into kernel modules
>> and store the module in something like
>> /etc/systemtap/authorized_modules/$kernel_version/foo.ko
>
> The suggestion of using /lib/modules itself is a great one.
I'm OK with that. From later in your email it looks like you are
shooting for /lib/modules/`uname -r`/systemtap, which seems reasonable.
>> [...]
>> (D) staprun.auth will need to disallow certain staprun.auth
>> command-line arguments, such as:
>> - "-c CMD" [...]
>> - "-O FILE" [...]
>
> Actually, it doesn't. A setuid program can drop its privileges after
> performing the root-only operations (module loading), and invoke the
> rest of the normal commands as the real userid.
Hmm.
I was trying to duplicate as little of staprun as possible - just parse
arguments, make sure the module is in the correct place, then exec
staprun for all the real processing. I was trying to make staprun_auth
a very thin wrapper around staprun.
With your idea I don't see a way around duplicating all of staprun (not
actual code duplication, but compiling all of staprun into staprun_auth).
Perhaps there is a merged approach. Keep staprun_auth a thin wrapper
around staprun, but change staprun to raise and lower privileges as
needed when inserting/removing modules, setting up relayfs, etc.
--
David Smith
dsmith at redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)
More information about the Fedora-security-list
mailing list