Bug 10984

Summary: restrict unprivileged mode operation to "stapusr" or similar
Product: systemtap Reporter: Frank Ch. Eigler <fche>
Component: runtimeAssignee: Dave Brolley <brolley>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Bug Depends on:    
Bug Blocks: 10907    

Description Frank Ch. Eigler 2009-11-19 05:10:07 UTC 
Considering the potential size of the worm can, for an early
non-experimental deployment of unprivileged mode, let's allow
sysadmins to restrict staprun to run even signed code only for
some users.

If we don't wish to build an elaborate ACL setup (or even a
simple one like /etc/ftpusers), how about restricting
signed mode to only "stapusr" people.  That way, two separate
actions are required by a local sysadmin: the approval of the
compilation environment, and approval of individual users.

Reuse of "staprun" as the groupid is probably plausible since
it's already a "lower privilege" sort of systemtap user, which
can only run precompiled stuff specifically installed under
/lib/modules/`uname -r`/systemtap.  The proposal here is to
also permit such people to run --unprivileged scripts / signed
modules.

(Another option is to create a third user group, like "stapunpriv",
but I can't think of a good case for it as distinct from stapusr.)
Comment 1 Dave Brolley 2009-11-24 19:56:03 UTC 
commit 7067e1b0418eed528fe2d102654dbe12bb9236af

Minor rework as suggested on IRC pending.
Comment 2 Dave Brolley 2009-11-27 19:21:47 UTC 
commit 1d4a927582c68e4278a1e44619e0cc310a83addf

Fix TOCTOU race between check access permissions of /lin/modules/KVER/systemtap
and canonicalizing its path.

Improve error messages.
Comment 3 Frank Ch. Eigler 2009-11-28 18:44:26 UTC 
committed