Need some security advice for systemtap
David Smith
dsmith at redhat.com
Tue Jun 19 19:56:50 UTC 2007
Martin Hunt wrote:
> On Mon, 2007-06-18 at 14:44 -0500, David Smith wrote:
>> Pavel Kankovsky wrote:
>>> On Mon, 11 Jun 2007, David Smith wrote:
>>
>>> BTW2: Let's suppose start_cmd() creates a process running under an
>>> unprivileged user. I think it can be killed (by the unprivileged user)
>>> before it gets SIGUSR1 and the system might recycle its pid. Therefore
>>> kill() in STP_START branch of stp_main_loop() is unsafe.
>> Hmm. Got any ideas on how to fix this?
>
> So, while the module loads its probes, we kill the start_cmd() process
> and create enough new processes to recycle the pid? Then staprun sends
> either SIGKILL or SIGUSR1 to the wrong process? Theoretically, if we set
> tens of thousands of probes, we would have a few milliseconds to do
> this.
I do agree it isn't a likely occurrence, but if it is possible to fix we
ought to look at it.
> Now that I've caught up on this discussion (sorry) I see we are simply
> talking about the blessed module approach to security. So the only
> issue here is how to load/unload the module, right? It seems like you
> have some good ideas. Why are we worrying about staprun? Load the
> module with your blessed loader, then staprun runs as a normal user. The
> only problem I see is unloading the module automatically.
The problem with the blessed loader approach is that:
(a) it duplicates code with regular staprun (although perhaps not much)
(b) unloading the module isn't possible
So, Frank and I have been trying to think through other ideas.
> BTW, you can kind of try this now.
>
> Run with sudo or root:
>> sudo /sbin/insmod close.ko
>> sudo chown hunt.hunt /sys/kernel/debug/systemtap/close/*
Actually that doesn't work if /sys/kernel/debug hasn't been mounted before.
> Now run staprun as a normal user
>> staprun -A close
> cpufreq-applet: close(17) = 0
> cpufreq-applet: close(17) = 0
> hald-addon-stor: close(4) = 0
> cpufreq-applet: close(17) = 0
> cpufreq-applet: close(17) = 0
> crond: close(5) = 0
> crond: close(5) = 0
> gpm: close(0) = 0
> cpufreq-applet: close(17) = 0
> cpufreq-applet: close(17) = 0
> DONE
> ERROR: Removing 'close': Operation not permitted
> ERROR: couldn't rmmod probe module close.
>
> --
>
> Hmmm. So lets say we create stap_load owned by
> root, group systemtap, and file permission would be 04110.
>
> stap_load is a C program that does something like
> if (root)
> insmod(modname)
> else if modname is blessed && user is valid
> insmod(modname)
> endif
>
> stap_unload would be similar or it could be the same program with
> an argument to indicate load/unload.
>
> Then rename staprun to staprun.bin and create a script, staprun:
> if stap_load modname
> staprun.bin modname ...
> stap_unload modname
> endif
>
> Are there problems with this approach?
Having two different setuid programs isn't the best plan. One possible
alternative could be:
stap_load (setuid) inserts module, then forks and execs (as a user)
"staprun -A". stap_load then waits for "staprun -A" to finish. After
staprun finishes, stap_load removes the module.
--
David Smith
dsmith at redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)
More information about the security
mailing list