Re: Need some security advice for systemtap | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
Frank Ch. Eigler wrote:
David Smith <dsmith@xxxxxxxxxx> writes:[...] Solving both problems would look like this: (A) A sysadmin would compile systemtap tap scripts into kernel modules and store the module in something like /etc/systemtap/authorized_modules/$kernel_version/foo.koThe suggestion of using /lib/modules itself is a great one.
I'm OK with that. From later in your email it looks like you are shooting for /lib/modules/`uname -r`/systemtap, which seems reasonable.
>> [...]
(D) staprun.auth will need to disallow certain staprun.auth command-line arguments, such as: - "-c CMD" [...] - "-O FILE" [...]Actually, it doesn't. A setuid program can drop its privileges after performing the root-only operations (module loading), and invoke the rest of the normal commands as the real userid.
Hmm.I was trying to duplicate as little of staprun as possible - just parse arguments, make sure the module is in the correct place, then exec staprun for all the real processing. I was trying to make staprun_auth a very thin wrapper around staprun.
With your idea I don't see a way around duplicating all of staprun (not actual code duplication, but compiling all of staprun into staprun_auth).
Perhaps there is a merged approach. Keep staprun_auth a thin wrapper around staprun, but change staprun to raise and lower privileges as needed when inserting/removing modules, setting up relayfs, etc.
-- David Smith dsmith@xxxxxxxxxx Red Hat http://www.redhat.com 256.217.0141 (direct) 256.837.0057 (fax) -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
[Home] [Fedora Legacy List] [Fedora Maintainers] [Fedora Desktop] [Red Hat 9 Bible] [Fedora Bible] [Fedora SELinux] [Big List of Linux Books] [Yosemite News] [Yosemite Photos] [KDE Users] [Coolkey] [Fedora Tools]
