This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
[Bug runtime/4523] setuid staprun for module loading by unprivileged users
- From: "dsmith at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: systemtap at sources dot redhat dot com
- Date: 4 Jun 2007 19:04:07 -0000
- Subject: [Bug runtime/4523] setuid staprun for module loading by unprivileged users
- References: <20070518162655.4523.fche@redhat.com>
- Reply-to: sourceware-bugzilla at sourceware dot org
------- Additional Comments From dsmith at redhat dot com 2007-06-04 19:04 -------
Here's a summary of the security related ideas from Frank's email:
...
We've mentioned somehow securely identifying of compiled modules to
represent a special permission to execute. This would be a way of
having a security expert dude formally designate a module for use on a
locked-down deployment machine. Given that the modsign code in
FC/RHEL is not widespread or general enough, a proper kernel-enforced
crypto signature may be out of reach. Maybe we can list (say) md5sums
of approved module .ko's in a /etc/systemtap/authorized_probes file,
and have a new staprun.auth variant that checks it before submitting a
module to insmod(8) (or actually better, to sys_init_module(2)
directly).
...
# grep TARGET2 $HOME/.systemtap/known_hosts
TARGET2 execute=ssh:user@host.name:auth kernel=2.6.18-78234.327 arch=i686 cpu=p4
% md5sum /home/fche/.systemtap/cache/0xfeedface.ko
982734982739487239487234
% ssh root@host.name echo md5:982734982739487239487234 >>
/etc/systemtap/authorized_probes # bless this module
% stap -T TARGET2 -e "probe foo { ... }" -x CMD
(scp 0xfeedface.ko to user@host.name:/tmp)
(ssh user@host.name staprun.auth /tmp/0xfeedface.ko -x CMD)
(no sudo password needed!)
(CMD forked under real-uid privileges; module loaded under setuid)
(probe output)
--
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|systemtap at sources dot |dsmith at redhat dot com
|redhat dot com |
Status|NEW |ASSIGNED
http://sourceware.org/bugzilla/show_bug.cgi?id=4523
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.