This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: run-stap vs -c
- From: Josh Stone <jistone at redhat dot com>
- To: Roland McGrath <roland at redhat dot com>
- Cc: systemtap at sources dot redhat dot com
- Date: Wed, 01 Apr 2009 21:39:00 -0700
- Subject: Re: run-stap vs -c
- References: <20090402030359.953F6FC3AB@magilla.sf.frob.com>
Roland McGrath wrote:
> Um, what?
>
> 5717eae:
>
> $ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -ru; id -u; id'
> 5281
> 5281
> uid=5281(roland) gid=5281(roland) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0
> hello world
Ok...
$ ./run-stap -V
SystemTap translator/driver (version 0.9.5/0.140 commit 5717eaeb)
Copyright (C) 2005-2009 Red Hat, Inc. and others
This is free software; see the source for copying conditions.
$ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -ru; id -u; id'
500
500
uid=500(jistone) gid=500(jistone) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
hello world
$ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -u'
0
hello world
$ groups jistone
jistone : jistone sys wheel stapdev stapusr
At a minimum, we should add -P to your sudo so the groups are correct.
Still, the /sys/debug/... channel is owned by root and stapio is running
as EUID root, which is very different than how it runs with setuid.
I am confused about the different id outputs. Complex commands are
invoked using "sh -c '...'", and simple commands are invoked directly.
Why would sh change the EUID?
> 65ffc3f:
>
> $ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -ru; id -u; id'
> ERROR: You are trying to run stap as a normal user.
> You must be a member of either group "stapdev" or group "stapusr".
> Please contact your system administrator to get yourself membership to either of those groups.
> For more information, please consult the "SAFETY AND SECURITY" section of the "stap(1)" manpage.
$ sudo usermod -a -G stapdev roland
Voila.
$ ./run-stap -V
SystemTap translator/driver (version 0.9.5/0.140 commit 65ffc3f3)
Copyright (C) 2005-2009 Red Hat, Inc. and others
This is free software; see the source for copying conditions.
$ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -ru; id -u; id'
500
500
uid=500(jistone) gid=500(jistone) groups=3(sys),10(wheel),489(stapusr),490(stapdev),500(jistone) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
hello world
$ ./run-stap -e 'probe begin { printf("hello world\n") }' -c 'id -u'
500
hello world
In this model, the /sys/debug/... channel is owned by me, and the
stapio runs as me. The sudo in this case is only being used to emulate
what setuid would have done, and all the normal permission checks in
staprun still apply.
Josh