This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: run-stap vs -c


Roland McGrath wrote:
> Um, what?  
> 
> 5717eae:
> 
> $ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -ru; id -u; id'
> 5281
> 5281
> uid=5281(roland) gid=5281(roland) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0
> hello world

Ok...

$ ./run-stap -V
SystemTap translator/driver (version 0.9.5/0.140 commit 5717eaeb)
Copyright (C) 2005-2009 Red Hat, Inc. and others
This is free software; see the source for copying conditions.
$ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -ru; id -u; id'
500
500
uid=500(jistone) gid=500(jistone) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
hello world
$ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -u'
0
hello world
$ groups jistone
jistone : jistone sys wheel stapdev stapusr

At a minimum, we should add -P to your sudo so the groups are correct.
Still, the /sys/debug/... channel is owned by root and stapio is running
as EUID root, which is very different than how it runs with setuid.

I am confused about the different id outputs.  Complex commands are
invoked using "sh -c '...'", and simple commands are invoked directly.
Why would sh change the EUID?


> 65ffc3f:
> 
> $ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -ru; id -u; id'
> ERROR: You are trying to run stap as a normal user.
> You must be a member of either group "stapdev" or group "stapusr".
> Please contact your system administrator to get yourself membership to either of those groups.
> For more information, please consult the "SAFETY AND SECURITY" section of the "stap(1)" manpage.

$ sudo usermod -a -G stapdev roland

Voila.


$ ./run-stap -V
SystemTap translator/driver (version 0.9.5/0.140 commit 65ffc3f3)
Copyright (C) 2005-2009 Red Hat, Inc. and others
This is free software; see the source for copying conditions.
$ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -ru; id -u; id'
500
500
uid=500(jistone) gid=500(jistone) groups=3(sys),10(wheel),489(stapusr),490(stapdev),500(jistone) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
hello world
$ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -u'
500
hello world

In this model, the /sys/debug/... channel is owned by me, and the
stapio runs as me.  The sudo in this case is only being used to emulate
what setuid would have done, and all the normal permission checks in
staprun still apply.

Josh


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]