This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: run-stap vs -c


> Ok, I was approaching it as just "allow a non-setuid staprun", but to
> also skip the group setup is a bit trickier.

Right, the mandate is "developer who can sudo does configure; make; ./run-stap
and it works".  (And sorry about the yelling. ;-)

> If staprun sees that UID!=EUID, then that looks like a setuid
> invocation, so it must do all of its permission checks.  So to bypass
> the checks, run-stap has to invoke staprun with UID=EUID=0 (which is
> what you had).

Right.  It believing it's not setuid is also necessary for it to obey the
environment variables, which is key.

> In that case, the control channel has root-only perms.

This is not particularly desireable, though it's survivable for this
development scenario.  How about we just teach staprun to set the channel
to a different uid?  i.e., just take switches for the uid/gid to own the
channel pseudofiles, defaulting to getuid()/getgid().  The run-staprun
wrapper can pass $SUDO_UID and $SUDO_GID here.

That might even be a real feature in the long run, to have a
more-privileged admin thing that can decide to install a module, but have
stapio (and its permissions for output-writing, etc.) run in some other
chosen identity that isn't the same one that invokes staprun and doesn't
have to have permission to run staprun.

> 1. Let run-stapio open the channel, set UID=EUID!=0, and pass the fd# as
> a stapio argument or environment variable.

I suppose staprun could just work that way anyway (passing the open channel
fd).  But perhaps there is a reason it doesn't.

> 2. Let run-stapio leave EUID=0 and set UID!=0 (which is what you had).
> Then after stapio opens the control channel, it can notice that
> UID!=EUID and so call setresuid to drop permissions.

I think it's a better plan if stapio never in any circumstance runs with
elevated privilege.

> 3. If staprun sees UID=EUID=0, then still skip the permission checks.
> After that, check getenv("STAP_REAL_UID") and if set call setuid(), so
> the control channel perms will match the UID and non-root stapio can
> open it.

That is about like what I proposed above.

> But I'm even more wary of modifying staprun, for fear of introducing a
> hole in its security checks...

The staprun options I mentioned above would have that can of worms.  In the
conservative version that you suggested here, the only new code would be in
the path where the security checks are disabled already.


Thanks,
Roland


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]