This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: run-stap vs -c


Josh Stone wrote:
> If staprun sees that UID!=EUID, then that looks like a setuid
> invocation, so it must do all of its permission checks.  So to bypass
> the checks, run-stap has to invoke staprun with UID=EUID=0 (which is
> what you had).
> 
> In that case, the control channel has root-only perms.  I see two ways
> for a non-root stapio to get at it:
> 
> 1. Let run-stapio open the channel, set UID=EUID!=0, and pass the fd# as
> a stapio argument or environment variable.
> 
> 2. Let run-stapio leave EUID=0 and set UID!=0 (which is what you had).
> Then after stapio opens the control channel, it can notice that
> UID!=EUID and so call setresuid to drop permissions.
> 
> Both of those require modifying stapio, but #1 seems a little safer to
> me.  Thoughts?  Other possibilities?

3. If staprun sees UID=EUID=0, then still skip the permission checks.
After that, check getenv("STAP_REAL_UID") and if set call setuid(), so
the control channel perms will match the UID and non-root stapio can
open it.

But I'm even more wary of modifying staprun, for fear of introducing a
hole in its security checks...

Josh


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]