Need some security advice for systemtap
Stone, Joshua I
joshua.i.stone at intel.com
Tue Jun 19 20:42:11 UTC 2007
David Smith wrote:
> Martin Hunt wrote:
>> On Mon, 2007-06-18 at 14:44 -0500, David Smith wrote:
>>> Pavel Kankovsky wrote:
>>>> On Mon, 11 Jun 2007, David Smith wrote:
>>>
>>>> BTW2: Let's suppose start_cmd() creates a process running under an
>>>> unprivileged user. I think it can be killed (by the unprivileged
>>>> user) before it gets SIGUSR1 and the system might recycle its pid.
>>>> Therefore
>>>> kill() in STP_START branch of stp_main_loop() is unsafe.
>>> Hmm. Got any ideas on how to fix this?
>>
>> So, while the module loads its probes, we kill the start_cmd() process
>> and create enough new processes to recycle the pid? Then staprun sends
>> either SIGKILL or SIGUSR1 to the wrong process? Theoretically, if we set
>> tens of thousands of probes, we would have a few milliseconds to do
>> this.
>
> I do agree it isn't a likely occurrence, but if it is possible to fix we
> ought to look at it.
This should be manageable. When a child process exits, it sends a
SIGCHLD and sits as a zombie until the parent has wait()ed for it. As
long as it's a zombie, the pid won't be recycled.
We just need to notice in our sig handler that the start_cmd process
died, and make sure we don't try to kill the pid after that.
Josh
More information about the security
mailing list