This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: Need some security advice for systemtap
- From: Tomasz Chmielewski <mangoo at wpkg dot org>
- To: David Smith <dsmith at redhat dot com>
- Cc: fedora-security-list at redhat dot com, Systemtap List <systemtap at sources dot redhat dot com>
- Date: Tue, 05 Jun 2007 10:46:55 +0200
- Subject: Re: Need some security advice for systemtap
- References: <4664691E.7010803@redhat.com>
David Smith schrieb:
(...)
Some basic ideas about how we can allow users without sudo access to run
"blessed" scripts/modules can be seen at
<http://sources.redhat.com/bugzilla/show_bug.cgi?id=4523>,
So, I'm looking for thoughts, criticisms, pointers, etc. to do this in a
manner that won't allow a system to be easily compromised. We're in
the fairly early stages of this idea, and I'm looking for direction
before heading down the wrong road.
Am I right? Is it security based on md5sum?
I'm not sure how easy would it be to "produce" two kernel modules having
the same MD5 checksum - but before you continue, you might want to read
a short article called "Attacking Hash Functions by Poisoned Messages":
http://www.cits.rub.de/MD5Collisions/
--
Tomasz Chmielewski
http://wpkg.org