Considering the potential size of the worm can, for an early non-experimental deployment of unprivileged mode, let's allow sysadmins to restrict staprun to run even signed code only for some users. If we don't wish to build an elaborate ACL setup (or even a simple one like /etc/ftpusers), how about restricting signed mode to only "stapusr" people. That way, two separate actions are required by a local sysadmin: the approval of the compilation environment, and approval of individual users. Reuse of "staprun" as the groupid is probably plausible since it's already a "lower privilege" sort of systemtap user, which can only run precompiled stuff specifically installed under /lib/modules/`uname -r`/systemtap. The proposal here is to also permit such people to run --unprivileged scripts / signed modules. (Another option is to create a third user group, like "stapunpriv", but I can't think of a good case for it as distinct from stapusr.)
commit 7067e1b0418eed528fe2d102654dbe12bb9236af Minor rework as suggested on IRC pending.
commit 1d4a927582c68e4278a1e44619e0cc310a83addf Fix TOCTOU race between check access permissions of /lin/modules/KVER/systemtap and canonicalizing its path. Improve error messages.
committed