Need some security advice for systemtap
David Smith
dsmith at redhat.com
Mon Jun 18 19:44:53 UTC 2007
Pavel Kankovsky wrote:
> On Mon, 11 Jun 2007, David Smith wrote:
>
>> (D) staprun.auth will need to disallow certain staprun.auth command-line
>> arguments, such as:
>
> Plus:
>
> - "-u USERNAME" (assuming you allow -c, otherwise it has no effect;
> on the other hand, its support in staprun can help to to make it
> possible to use -c via staprun.auth)
>
> - "-t PID" (or "-x PID") (you need to disallow this because it is
> virtually impossible to avoid race conditions when you check whether
> a user is allowed to mess with a certain running process; alternatively,
> you can allow it and make it a requirement for blessed scripts that
> authorized users can attach them to any running process without
> compromising the security of the system)
I knew about '-u USERNAME'. We'll probably allow '-x PID' for
authorized users because if they can look at the entire system there
isn't any point in not allowing them to look at a single process.
> On 11 Jun 2007, Frank Ch. Eigler wrote:
>
>> Actually, it doesn't. A setuid program can drop its privileges after
>> performing the root-only operations (module loading), and invoke the
>> rest of the normal commands as the real userid.
>
> Staprun has to keep root privileges to be able to unload the kernel module
> when it finishes. Moreover, the mere possesion of an open fd for the
> control channel seems to be dangerous enough to make staprun de facto
> running under euid 0 as long as it keeps the fd open (correct me if I am
> wrong).
Yep, you are right.
> BTW1: staprun should close the file descriptors it uses internally
> (control fd, relayfs fds) when it executes the target program given by -c.
Good idea, I'll work on that.
> BTW2: Let's suppose start_cmd() creates a process running under an
> unprivileged user. I think it can be killed (by the unprivileged user)
> before it gets SIGUSR1 and the system might recycle its pid. Therefore
> kill() in STP_START branch of stp_main_loop() is unsafe.
Hmm. Got any ideas on how to fix this?
> On Mon, 11 Jun 2007, David Smith wrote:
>
>> Perhaps there is a merged approach. Keep staprun_auth a thin wrapper
>> around staprun, but change staprun to raise and lower privileges as
>> needed when inserting/removing modules, setting up relayfs, etc.
>
> This might work but be very careful when you do it while multiple threads
> are running.
I believe I see what you mean here - if one thread raises privilegs
while another thread performs a security-sensitive operation, we've got
a problem.
Thanks for your time.
--
David Smith
dsmith at redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)
More information about the security
mailing list