grundy wrote:
I think a good way to handle it would be to have a configuration file
like /etc/sudoers and setuid root stap (or staprun). The access control
would then be built into systemtap.
Here are my ideas of what would make a "good" set of controls:
- level of tap script they can run, e.g. guru mode code or not
- sections of the kernel they can access (maybe this is
better represented as what tapsets may they use)
- how much overhead are they allowed to put on the system
- are they allowed to look at data for other user's processes
- are they allowed to reference line #'s or direct memory addrs
That sounds nice, but I'm worried about implementing such a feature
correctly, on at least two levels. First, you assume that systemtap can
correctly characterize the effects a script will have on the system.
Then you want to add an ACL system into systemtap based on those effects.
One advantage the proposed system has is that there *is* a human in the
loop, a root user who will (hopefully) look at a script and check it out
before "blessing" it.
--
David Smith
dsmith@xxxxxxxxxx
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list
