Re: Need some security advice for systemtap

["Stone, Joshua I" <joshua dot i dot stone at intel dot com>]

David Smith wrote:
> Martin Hunt wrote:
> > On Mon, 2007-06-18 at 14:44 -0500, David Smith wrote:
> > > Pavel Kankovsky wrote:
> > > > On Mon, 11 Jun 2007, David Smith wrote:
> > >
> > > > BTW2: Let's suppose start_cmd() creates a process running under an
> > > > unprivileged user. I think it can be killed (by the unprivileged 
> > > > user)  before it gets SIGUSR1 and the system might recycle its pid. 
> > > > Therefore
> > > > kill() in STP_START branch of stp_main_loop() is unsafe.
> > > Hmm.  Got any ideas on how to fix this?
> >
> > So, while the module loads its probes, we kill the start_cmd() process
> > and create enough new processes to recycle the pid? Then staprun sends
> > either SIGKILL or SIGUSR1 to the wrong process? Theoretically, if we set
> > tens of thousands of probes, we would have a few milliseconds to do
> > this. 
>
> I do agree it isn't a likely occurrence, but if it is possible to fix we 
> ought to look at it.

This should be manageable.  When a child process exits, it sends a 
SIGCHLD and sits as a zombie until the parent has wait()ed for it.  As 
long as it's a zombie, the pid won't be recycled.

We just need to notice in our sig handler that the start_cmd process 
died, and make sure we don't try to kill the pid after that.

Josh