This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: run-stap vs -c
Josh Stone wrote:
> If staprun sees that UID!=EUID, then that looks like a setuid
> invocation, so it must do all of its permission checks. So to bypass
> the checks, run-stap has to invoke staprun with UID=EUID=0 (which is
> what you had).
>
> In that case, the control channel has root-only perms. I see two ways
> for a non-root stapio to get at it:
>
> 1. Let run-stapio open the channel, set UID=EUID!=0, and pass the fd# as
> a stapio argument or environment variable.
>
> 2. Let run-stapio leave EUID=0 and set UID!=0 (which is what you had).
> Then after stapio opens the control channel, it can notice that
> UID!=EUID and so call setresuid to drop permissions.
>
> Both of those require modifying stapio, but #1 seems a little safer to
> me. Thoughts? Other possibilities?
3. If staprun sees UID=EUID=0, then still skip the permission checks.
After that, check getenv("STAP_REAL_UID") and if set call setuid(), so
the control channel perms will match the UID and non-root stapio can
open it.
But I'm even more wary of modifying staprun, for fear of introducing a
hole in its security checks...
Josh