This is the mail archive of the
mailing list for the systemtap project.
important systemtap security fix
- From: "Frank Ch. Eigler" <fche at redhat dot com>
- To: systemtap at sources dot redhat dot com
- Date: Wed, 17 Nov 2010 10:11:07 -0500
- Subject: important systemtap security fix
On Monday, Tavis Ormandy kindly let us know of two serious problems in
the setuid-root /usr/bin/staprun program. These have now been patched
in the git repo, and updates are being released for RHEL and Fedora.
Until you install the patches, one workaround would be to remove the
setuid bits from staprun (chmod u-s /usr/bin/staprun), and operate it
only as root. After the patches, the main end-user difference will be
that current non-root 'stapdev' users (who are root-equivalent in
systemtap powers) would also have to be added to the 'stapusr'
(limited-privilege powers) group.
We are sorry for the inconvenience.