This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
[Bug runtime/5716] New: staprun/stapio setuid/capability simplification
- From: "fche at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: systemtap at sources dot redhat dot com
- Date: 2 Feb 2008 17:48:31 -0000
- Subject: [Bug runtime/5716] New: staprun/stapio setuid/capability simplification
- Reply-to: sourceware-bugzilla at sourceware dot org
Let's consider moving away from capabilities as the primary
means of limiting staprun's setuid privileges while a probe
module is actually running. Considering that module loading
and unloading privilege can be reactivated at any time (at
least in the way we're using them, capabilities do not provide
any incremental security. (An attacker might find a way to
trick staprun to reactivate CAP_SYS_MODULE early, then load
a hostile module, at which point the game is over.)
Since the only reason AFAIK for this complexity was to permit
module *unloading* at the end of a run, let's think of another
solution for this. Perhaps something as simple as a cleanup
task like the old "remove ref-0 module" cron job could do it.
Or staprun could be made to stick around in the background as
a daemon as long as the module is needed, even if -L/-A type
detach/attach is subsequently done. -L/-A could match the
lifetime of unprivileged stapio rather than staprun processes.
--
Summary: staprun/stapio setuid/capability simplification
Product: systemtap
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: runtime
AssignedTo: systemtap at sources dot redhat dot com
ReportedBy: fche at redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=5716
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.