Re: Need some security advice for systemtap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Frank Ch. Eigler wrote:
David Smith <dsmith@xxxxxxxxxx> writes:

[...]
Solving both problems would look like this:

(A) A sysadmin would compile systemtap tap scripts into kernel modules
and store the module in something like
/etc/systemtap/authorized_modules/$kernel_version/foo.ko

The suggestion of using /lib/modules itself is a great one.

I'm OK with that. From later in your email it looks like you are shooting for /lib/modules/`uname -r`/systemtap, which seems reasonable.

 >> [...]
(D) staprun.auth will need to disallow certain staprun.auth
command-line arguments, such as:
- "-c CMD" [...]
- "-O FILE" [...]

Actually, it doesn't.  A setuid program can drop its privileges after
performing the root-only operations (module loading), and invoke the
rest of the normal commands as the real userid.

Hmm.


I was trying to duplicate as little of staprun as possible - just parse arguments, make sure the module is in the correct place, then exec staprun for all the real processing. I was trying to make staprun_auth a very thin wrapper around staprun.

With your idea I don't see a way around duplicating all of staprun (not actual code duplication, but compiling all of staprun into staprun_auth).

Perhaps there is a merged approach. Keep staprun_auth a thin wrapper around staprun, but change staprun to raise and lower privileges as needed when inserting/removing modules, setting up relayfs, etc.

--
David Smith
dsmith@xxxxxxxxxx
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux