Re: Systemtap Client/server Certificate Management and Usage Improvements

[Dave Brolley <brolley at redhat dot com>]

Eugeniy Meshcheryakov wrote:
> Hello,
>   
Hi and thanks for your feedback!
> 13 ????? 2009 ? 13:40 -0500 Dave Brolley ???????(-??):
>   
> > 1) Client/server certificate databases are no longer generated at build  
> > time and are no longer installed
> >     
> It will be good to have empty config directories that can be used by
> client/server installed.
>   
Can you provide an example of why these would be needed? The server and 
other tools should automatically create these as needed. Are you perhaps 
you're referring to an empty $(sysconfdir)/systemtap/ssl/client 
directory as a hint for the sysadmin as to where to add globally trusted 
server certificates?


>   
> > Usage Goals
> > -----------
> > 1) Any user can run stap from phase 1 through 4 inclusive (-p1 through -p4), so
> >    any user should be able to interface with a trusted systemtap server for
> >    requests limited to these phases. The server need not be compatible with
> >    the platform of the client.
> >     
> This can be a problem for the server. At least DoS attack is possible.
>   
Sure this is a problem for any server. All this is saying is that all 
non privileged users should be able to access and use a trusted server 
for requests limited to phases 1 through 4.
>   
> > 2) Currently, only privileged users (root or a member of stapdev or stapusr) can
> >    load a systemtap module (phase 5). The module must have been generated by
> >    stap on the local host or on a compatible host. Similarly, privileged users
> >    should be able to interface with a trusted and compatible systemtap server
> >     and load the resulting module.
> >     
> Members of stapusr should not be able to run generated modules IMHO.
>   
This has nothing to do with the client/server. It is simply the current 
implementation of staprun as I understand it.
>   
> > 3) In the future (or already?), unprivileged users will be able to load modules
> >    probing user-space code and, similarly, unprivileged users should then be
> >    able to interface with a trusted and compatible systemtap server and load the
> >    resulting module.
> >     
> Hmm, I'd not allow unpriviledged users to load any kernel modules... At least not
> without a lot of checks on server side.
>   
Yes, of course there will be appropriate checking on the server side. 
This particular capability has been one of the design goals of the 
client/server from the beginning. Perhaps I misunderstand how it will be 
(has been?) implemented. Does user space probing not use modules?
>   
> > 4) In the future, unprivileged users should be able to load a module generated
> >    by servers "blessed" by privileged users. This will be a separate level of
> >    authority similar to membership in the groups stapdev or stapusr.
> >     
> Does that mean allowing any user to load kernel modules? Or creating one more group
> like stapdev but without posibility to compile localy and run compile servers? Will
> server do any additional check for probe files from such users?
>   
Yes, it is intended that the server will do additional checking to 
ensure the safety of the modules (e.g. no guru mode features etc.). From 
a permission point of view this will allow a sysadmin to enforce 
something equivalent to "you can load modules provided that server X 
will compile it for you". Note that local servers started by random 
users will not have this capability since the client will only check the 
global certificate database for servers trusted for this purpose.

>   
> > 2) a database local to the user starting the server.
> >
> >    For unprivileged users, the database is in the directory
> >
> >      /home/<user>/.systemtap/ssl/server
> >     
> I hope you meant $(HOME)/.systemtap/ssl/server here...
>   
Yes, thanks.
>   
> >    For root (EUID=0) users, the database is in the directory
> >
> >      $(prefix)/etc/systemtap/ssl/server
> >     
> ... and $(sysconfdir)/systemtap/ssl/server here.
>   
Yes, thanks again.
>   
> >    where $(prefix) is the prefix used to install systemtap.
> >
> >     
>
> And the same here:
>   
Yes.
> >    For unprivileged users, the database is in the directory
> >
> >      /home/<user>/.systemtap/ssl/client
> >
> >    For root (EUID=0) users, the database is in the directory
> >
> >      $(prefix)/etc/systemtap/ssl/client
> >
> >    where $(prefix) is the prefix used to install systemtap.
> >     
>
>   
Thanks again for your feedback!

Dave