Frank Ch. Eigler wrote:
David Smith <dsmith@xxxxxxxxxx> writes:
[...]
Solving both problems would look like this:
(A) A sysadmin would compile systemtap tap scripts into kernel modules
and store the module in something like
/etc/systemtap/authorized_modules/$kernel_version/foo.ko
The suggestion of using /lib/modules itself is a great one.
I'm OK with that. From later in your email it looks like you are
shooting for /lib/modules/`uname -r`/systemtap, which seems reasonable.
>> [...]
(D) staprun.auth will need to disallow certain staprun.auth
command-line arguments, such as:
- "-c CMD" [...]
- "-O FILE" [...]
Actually, it doesn't. A setuid program can drop its privileges after
performing the root-only operations (module loading), and invoke the
rest of the normal commands as the real userid.
Hmm.
I was trying to duplicate as little of staprun as possible - just parse
arguments, make sure the module is in the correct place, then exec
staprun for all the real processing. I was trying to make staprun_auth
a very thin wrapper around staprun.
With your idea I don't see a way around duplicating all of staprun (not
actual code duplication, but compiling all of staprun into staprun_auth).
Perhaps there is a merged approach. Keep staprun_auth a thin wrapper
around staprun, but change staprun to raise and lower privileges as
needed when inserting/removing modules, setting up relayfs, etc.
--
David Smith
dsmith@xxxxxxxxxx
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list
