From 80f2faf4a800abc8cebd7fdddb998e7168a182cf Mon Sep 17 00:00:00 2001 From: Dave Brolley Date: Fri, 4 Feb 2011 13:32:37 -0500 Subject: [PATCH] PR 12428 - Document Compile Server/Client Setup and Admin - New README.unprivileged - Update info about unprivileged mode in stap.1 and in stap-server.8 - Don't bother autoconfing paths in stap-server.8. Refer to stappaths instead. --- Makefile.in | 8 +- README.unprivileged | 284 ++++++++++++++++++++++++++++++ configure | 3 +- configure.ac | 1 - stap-server.8.in => stap-server.8 | 72 ++++---- stap.1 | 38 +++- 6 files changed, 353 insertions(+), 53 deletions(-) create mode 100644 README.unprivileged rename stap-server.8.in => stap-server.8 (91%) diff --git a/Makefile.in b/Makefile.in index 5cf0cdc2c..537d804d5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -70,8 +70,7 @@ DIST_COMMON = INSTALL NEWS README AUTHORS $(srcdir)/Makefile.in \ $(srcdir)/Makefile.am $(top_srcdir)/configure \ $(am__configure_deps) $(srcdir)/config.in \ $(top_srcdir)/includes/sys/sdt-config.h.in \ - $(srcdir)/stappaths.7.in $(srcdir)/stap-server.8.in \ - $(top_srcdir)/initscript/systemtap.in \ + $(srcdir)/stappaths.7.in $(top_srcdir)/initscript/systemtap.in \ $(top_srcdir)/initscript/stap-server.in $(srcdir)/run-stap.in \ $(srcdir)/dtrace.in depcomp $(am__noinst_HEADERS_DIST) \ $(oldinclude_HEADERS) @@ -84,8 +83,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = config.h CONFIG_CLEAN_FILES = includes/sys/sdt-config.h stappaths.7 \ - stap-server.8 initscript/systemtap initscript/stap-server \ - run-stap dtrace + initscript/systemtap initscript/stap-server run-stap dtrace CONFIG_CLEAN_VPATH_FILES = @BUILD_TRANSLATOR_TRUE@am__EXEEXT_1 = stap$(EXEEXT) am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(pkglibexecdir)" \ @@ -503,8 +501,6 @@ includes/sys/sdt-config.h: $(top_builddir)/config.status $(top_srcdir)/includes/ cd $(top_builddir) && $(SHELL) ./config.status $@ stappaths.7: $(top_builddir)/config.status $(srcdir)/stappaths.7.in cd $(top_builddir) && $(SHELL) ./config.status $@ -stap-server.8: $(top_builddir)/config.status $(srcdir)/stap-server.8.in - cd $(top_builddir) && $(SHELL) ./config.status $@ initscript/systemtap: $(top_builddir)/config.status $(top_srcdir)/initscript/systemtap.in cd $(top_builddir) && $(SHELL) ./config.status $@ initscript/stap-server: $(top_builddir)/config.status $(top_srcdir)/initscript/stap-server.in diff --git a/README.unprivileged b/README.unprivileged new file mode 100644 index 000000000..8fc7f7f6f --- /dev/null +++ b/README.unprivileged @@ -0,0 +1,284 @@ +Unprivileged Mode for Systemtap Users +===================================== + +Introduction +------------ +In order to use the full capabilities of systemtap, one must run it as root or +as a member of the group stapdev. For other (unprivileged) users, systemtap +does provide support for use of a subset of systemtap's capabilities to perform +limited probing. For example, tracing your own applications or +polling using timers. The intent is to give unprivileged users capabilities +similar to those provided by a debugger. + +Below are instructions for running systemtap scripts in unprivileged mode. + +Systemtap Compile Server +------------------------ +In order to load the kernel module produced by compiling a systemtap script +for an unprivileged user, we must know that the script was compiled correctly +and that the script does not do anything dangerous. A systemap compile server +provides the trusted compilation environment needed to certify both conditions. + +NOTE: In order to use a compile server, the nss and nspr packages must be +installed on the client host and systemtap must have been built with +NSS enabled. Run 'stap -V | grep NSS' to find out if NSS is enabled. + +NOTE: In order to detect servers on the local network, the avahi package must be +installed on the client host and systemtap must have been built with avahi +enabled. Run 'stap -V | grep AVAHI' to find out if avahi is enabled. + +To find out if a suitable server is available on the local network, this +command should produce output similar to the following: + +# stap --list-servers --unprivileged +Systemtap Compile Server Status for 'online,trusted,compatible,signer' + host=somehost ip=10.15.16.156 port=10913 sysinfo="2.6.34.7-66.fc13.x86_64 x86_64" certinfo="00:93:49:be:2a" + +NOTE: In order for servers to be detected, the port for mDNS (5353/udp) + must be open on the server and client hosts. + +If no servers are listed, then you must ask your system administrator to +make the appropriate compile server available on the local host or on the +local network. The server must be trusted as an ssl peer and as a systemtap +module signer on the local host. + +See "Setup and Administration of Unprivileged Users for System Administrators" +below for more details. + +Trust of Unprivileged Users +--------------------------- +Even with the appropriate compile server available, each +unprivileged user must be explicitely trusted. This is done by adding each +unprivileged user to the group stapusr on each host on which they will +run systemtap scripts. To see if you are a member of the group stapusr on the +local host, this command should produce output similar to the following: + +# getent group stapusr +stapusr:x:483:someuser,anotheruser + +If your userid is listed, then you are already a member of the group stapusr. +If it is not, then you must ask your system administrator to add you to this +group. + +Once added, Try the command + + newgrp stapusr + +to activate your membership. If all else fails, logging out and back in +again should work. See the manual page for newgrp(1) for details. + +Using Systemtap in Unprivileged Mode +------------------------------------ +Unprivileged users can compile any systemtap script either directly or using +a compile server, but systemtap will not load the resulting kernel module +for an unprivileged user unless it has been compiled and certified by a +trusted compile server. To do this, as an unprivileged user, +this command should produce the following output similar: + +# stap -e 'probe begin { printf ("Hello\n"); exit (); }' +Hello + +For unprivileged users, stap will automatically add the options +--unprivileged and --use-server (you could also specify them yourself). + + --use-server tells systemtap to compile the script using a server. + + --unprivileged tells the server to check the script to maker sure it + doesn't do anything 'dangerous', i.e. nothing that an ordinary user + shouldn't be able to do. + +If the server approves of your script and is able to compile it, systemtap will then load the resulting module for you even though you are an unprivileged +user. + +If you save the resulting module by using the -p4 option of stap, then trusted, +unprivileged users can load the module at a later time using staprun: + +# stap -e 'probe begin { printf ("Hello\n"); exit (); }' -p4 +stap_5330.ko +# staprun stap_5330.ko +Hello + +Note that the module has already been ceritified (signed), so no special options +are needed. + +Additional Information +---------------------- +o When specifying path names in your script and compiling using a server, + you must use a server which has access to those paths (e.g. via nfs, or a + server on the local host) and you must specify the paths in full from the + servers's point of view. For example, specify + + probe process("foo").begin() + + as + + probe process("/the/full/path/as/seen/by/the/server/to/foo").begin() + +o You can use '--unprivileged -pN' (for 1 <= N <= 4) without --use-server to + compile and check scripts directly. stap will still check your script for + 'dangerous' behavior, but will not load it for an unprivileged user. + +o When using --unprivileged, all compile time and run time restrictions are + enforced for all users, including root and members of the group stapdev. + + + +Setup and Administration of Unprivileged Users for System Administrators +======================================================================== + +Introduction +------------ +In order to use the full capabilities of systemtap, one must run it as root or +as a member of the group stapdev. For other (unprivileged) users, systemtap +does provide support for use of a subset of systemtap's capabilities to perform +limited probing. For example, tracing your own applications or +polling using timers. The intent is to give unprivileged users capabilities +similar to those provided by a debugger. + +In order for this to happen, the system administrator must first perform some +setup: + +o Systemtap compile server(s) must be made available on the local network. + One server is needed for each kernel version and architecture pair for which + users will compile scripts. + +o The compile server(s) must be trusted as an SSL peer and as a signer of + systemtap modules on hosts on which unprivileged users will compile and + run their scripts respectively. + +o Unprivileged users must be added to the group stapusr on the host(s) on which + they will run their scripts. + +Below are the necessary steps for the system administrator to setup the above +infrastructure. + +Systemtap Compile Server +------------------------ +In order to load the kernel module produced by compiling a systemtap script +for an unprivileged user, we must know that the script was compiled correctly +and that the script does not do anything dangerous. A systemap compile server +provides a trusted environment needed to certify both conditions. + +In order to make a compile server available on the local network the +systemtap-server package and its prerequisites must be installed on the server +host. + +The system administrator then uses the following command: + +sudo service stap-server start [-r KERNEL-RELEASE] [-a ARCH] + +For example: + +# sudo service stap-server start -r 2.6.34.7-61.fc13.x86_64 -a x86_64 +Starting stap-server -a "x86_64" -r "2.6.34.7-61.fc13.x86_64" -u "stap-server" + [ OK ] + +This starts a compile server for the specified kernel release and hardware +architecture. The kernel and kernel-devel package for the specified release and +architecture must be installed on the server host. The kernel-debuginfo package +for each kernel release and archtecture should also be installed, but is not +relevant for unprivileged users. + +If either one (or both) the kernel release and/or architecture is not +specified, the kernel release and/or architecture of the server host will be +used: + +# sudo service stap-server start +Starting stap-server -a "x86_64" -r "2.6.34.7-66.fc13.x86_64" -u "stap-server" + [ OK ] + +As a short cut, to start a server for each kernel release and architecture +installed on the server host, use the command: + +# sudo service stap-server start -i +Starting stap-server -a "x86_64" -r "2.6.34.7-61.fc13.x86_64" -u "stap-server" + [ OK ] +Starting stap-server -a "x86_64" -r "2.6.34.7-63.fc13.x86_64" -u "stap-server" + [ OK ] +Starting stap-server -a "x86_64" -r "2.6.34.7-66.fc13.x86_64" -u "stap-server" + [ OK ] + +NOTE: Only root can start a systemtap server using the service command. + +Trust of Compile Servers +------------------------ +Once systemtap compile servers have been made available on the local network, +the system administrator must certify which ones are trusted as SSL peers, +as systemtap kernel module signers or both. + +Certifying a compile server as an SSL peer means what the system administrator +trusts that it compile systemtap scripts correctly. + +Certifying a compile server as a module signer means that the system +administrator trusts it to correctly check a systemtap script for +behavior which should not be made available to unprivileged users. When a +script is compiled using the --unprivileged option, the server checks the +script for such behavior and cryptographically signs the resulting module if it +is safe for use by unprivileged users. Verification of ths signature certifies +that the module was certified as 'safe' by the server and that it has not been +altered since it was certified. + +Systemtap compile servers started by using the 'service' command are +automatically trusted both as SSL peers and as module signers on the server's +host. No further setup of the servers is necessary for users (clients) on +that same host. + +Before clients on another host can make use of a server, the system +administrator of each client host must certify trust in that server. +This is performed in two steps: + +1) Identify the server(s) to be trusted. + + # stap --list-servers=online,compatible + Systemtap Compile Server Status for 'online,compatible' + host=somehost ip=10.15.16.156 port=26543 sysinfo="2.6.34.7-66.fc13.x86_64 x86_64" certinfo="00:93:49:be:2a" + + Identify the server(s) to be trusted by examining the + host name, ip address and sysinfo (kernel release and architecture). Take + note of the 'certinfo' field of each server to be trusted. + + NOTE: In order for servers to be detected, the port for mDNS (5353/udp) + must be open on the server and client hosts. + +2) For each server to be trusted for use by unprivileged clients, use the + command: + + sudo stap --trust-servers=ssl,signer,all-users --use-server=CERTINFO1 [--use-server=CERTINFO2 ...] + + where each CERTINFOn is the value of the 'certinfo' field of a server to be + trusted (obtained using the previous command). + + For example: + + # sudo stap --trust-servers=ssl,signer,all-users --use-server=00:93:49:be:2a + Add trust in the following servers as an SSL peer for all users and as a module signer for all users? + host=somehost ip=10.15.16.156 port=26543 sysinfo="2.6.34.7-66.fc13.x86_64 x86_64" certinfo="00:93:49:be:2a" + [y/N] y + + Using the 'certinfo' to specify each server ensures that the exact servers + which were intended are the ones which become trusted. Note that only root + can certify trust in a server as signer in this way. + +Now verify the result: + +# stap --list-servers --unprivileged +Systemtap Compile Server Status for 'online,trusted,compatible,signer' + host=somehost ip=10.15.16.156 port=26543 sysinfo="2.6.34.7-66.fc13.x86_64 x86_64" certinfo="00:93:49:be:2a" + +Each of the servers you specified in stap 2 above should be listed. + +Trust of Unprivileged Users +--------------------------- +Finally, once compile servers have been set up and are trusted, each +unprivileged user must be explicitely trusted. This is done by adding each +unprivileged user to the group stapusr on each host on which they will +run systemtap scripts: + + sudo usermod -a -G stapusr USERID + +If the user is already logged in, they can try using + + newgrp stapusr + +to activate their membership. If all else fails, logging out and back in +again should work. See newgrp(1) for details. diff --git a/configure b/configure index 1c47d569d..b3189755b 100755 --- a/configure +++ b/configure @@ -7652,7 +7652,7 @@ _ACEOF ac_config_headers="$ac_config_headers config.h:config.in" -ac_config_files="$ac_config_files Makefile doc/Makefile doc/beginners/Makefile doc/SystemTap_Tapset_Reference/Makefile grapher/Makefile grapher/stapgraph.1 stappaths.7 stap-server.8 initscript/systemtap initscript/stap-server" +ac_config_files="$ac_config_files Makefile doc/Makefile doc/beginners/Makefile doc/SystemTap_Tapset_Reference/Makefile grapher/Makefile grapher/stapgraph.1 stappaths.7 initscript/systemtap initscript/stap-server" @@ -8454,7 +8454,6 @@ do "grapher/Makefile") CONFIG_FILES="$CONFIG_FILES grapher/Makefile" ;; "grapher/stapgraph.1") CONFIG_FILES="$CONFIG_FILES grapher/stapgraph.1" ;; "stappaths.7") CONFIG_FILES="$CONFIG_FILES stappaths.7" ;; - "stap-server.8") CONFIG_FILES="$CONFIG_FILES stap-server.8" ;; "initscript/systemtap") CONFIG_FILES="$CONFIG_FILES initscript/systemtap" ;; "initscript/stap-server") CONFIG_FILES="$CONFIG_FILES initscript/stap-server" ;; "run-stap") CONFIG_FILES="$CONFIG_FILES run-stap" ;; diff --git a/configure.ac b/configure.ac index 310893079..ea69eabd9 100644 --- a/configure.ac +++ b/configure.ac @@ -586,7 +586,6 @@ doc/beginners/Makefile doc/SystemTap_Tapset_Reference/Makefile \ grapher/Makefile \ grapher/stapgraph.1 \ stappaths.7 \ -stap-server.8 \ initscript/systemtap initscript/stap-server ]) AC_CONFIG_SUBDIRS(testsuite runtime/staprun) if test $enable_translator == "yes"; then diff --git a/stap-server.8.in b/stap-server.8 similarity index 91% rename from stap-server.8.in rename to stap-server.8 index e61027117..e6aeff241 100644 --- a/stap-server.8.in +++ b/stap-server.8 @@ -160,8 +160,9 @@ This option allows the specification of a server configuration by nickname. When \fB\-n\fR is specified, a currently running server with the given nickname will be searched for. If no currently running server with the given nickname is found, a server configuration with the given nickname will be searched for in -\fI@prefix@/etc/stap\-server/conf.d/*.conf\fR, or the path configured in -\fI@prefix@/etc/sysconfig/stap\-server\fR or the config file specified by the +the configuration files for default servers, +or the path configured in the global configuration file or +the configuration file specified by the \fB\-c\fR option. If a server configuration for the given nickname is found, the \fB\-a\fR, \fB\-r\fR, \fB\-I\fR, \fB\-R\fR, \fB\-B\fR and \fB\-u\fR options for @@ -205,7 +206,7 @@ specify which servers are to be started by default. .SH Global Configuration -The Global Configuration file (\fI@prefix@/etc/sysconfig/stap\-server\fR) contains +The Global Configuration file contains variable assignments used to configure the overall operation of the service. Each line beginning with a '#' character is ignored. All other lines must be of the form \fIVARIABLE=VALUE\fR. This is not a shell script. The entire @@ -216,18 +217,15 @@ The following variables may be assigned: .TP .B CONFIG_PATH Specifies the absolute path of the directory containing the default server -configurations -(default: \fI@prefix@/etc/stap\-server/conf.d/\fR). +configurations. .TP .B STAT_PATH -Specifies the absolute path of the running server status directory -(default: \fI@prefix@/var/run/stap\-server/\fR). +Specifies the absolute path of the running server status directory. .TP .B LOG_FILE -Specifies the absolute path of the log file -(default: \fI@prefix@/var/log/stap\-server.log\fR). +Specifies the absolute path of the log file. .TP .B STAP_USER @@ -248,7 +246,7 @@ contents of the line after the = will be assigned as\-is to the variable. Each configuration file must have a filename suffix of \fI.conf\fR. The default -location of these files is \fI@prefix@/etc/stap\-server/conf.d/\fR, but this can be +location of these files can be overridden in the global configuration file using the \fB\-c\fR option (see \fIOPTIONS\fR). @@ -326,14 +324,22 @@ certificate for the default user (\fIstap\-server\fR) is automatically generated and installed. This means that servers started by the \fIstap\-server\fR initscript, with the default user, are automatically trusted by clients on the local -host. +host, both as an SSL peer and as a systemtap module signer. Furthermore, +when stap is invoked by an unprivileged user +(not root, not a member of the group stapdev, but a member of the group +stapusr), the options \fI\-\-use\-server\fR and \fI\-\-unprivileged\fR +are automatically added to the specified options. +This means that unprivileged users +on the local host can use a server on the local host +in unprivileged mode with no further setup or options required. .PP In order to use a server running on another host, that server\[aq]s certificate must be installed on the client\[aq]s host. See the \fI\-\-trust\-servers\fR option in the .IR stap (1) -manual page for more details. +manual page for more details and README.unprivileged in the systemtap sources +for more details.. .SH EXAMPLES See the @@ -362,6 +368,14 @@ To stop one of the servers by referencing its process id (obtained by running .PP .B \& $ [ service ] stap\-server stop \-p \fIPID\fR .PP +To run a script using a compile server: +.PP +.B \& $ stap SCRIPT \-\-use\-server +.PP +To run a script as an unprivileged user using a compile server: +.PP +.B \& $ stap SCRIPT +.PP To stop all running servers: .PP .B \& $ [ service ] stap\-server stop @@ -391,20 +405,20 @@ using the \fI\-u\fR option on invocation, by specifying user must have authority to run processes as another user. See \fICONFIGURATION\fR. -The selected user must have write access to the server log file (default: \fI@prefix@/var/log/stap\-server.log\fR). The location of the server log file may +The selected user must have write access to the server log file. +The location of the server log file may be changed by setting \fILOG_FILE=\fRpath in the global configuration file. See \fICONFIGURATION\fR. The selected user must have -read/write access to the directory containing the server status files -(default: \fI@prefix@/var/run/stap\-server/\fR). The location of the server +read/write access to the directory containing the server status files. +The location of the server status files may be changed by setting \fISTAT_PATH=\fRpath in the global configuration file. See \fICONFIGURATION\fR. The selected user must have -read/write access to the uprobes.ko build directory and its files -(default: \fI@prefix@/share/systemtap/runtime/uprobes/\fR). +read/write access to the uprobes.ko build directory and its files. Neither form of stap\-server will run if the selected user is root. @@ -451,28 +465,8 @@ access permissions before making use of any certificate database. .SH FILES .TP -@prefix@/etc/sysconfig/stap\-server/ -Global configuration file. - -.TP -@prefix@/etc/stap\-server/conf.d/*.conf -Configuration files for default servers. - -.TP -@prefix@/var/run/stap\-server/ -Default location of status files for running servers. - -.TP -@prefix@/var/log/stap\-server.log -Default log file. - -.TP -@prefix@/share/systemtap/runtime/uprobes/ -Location of the uprobes.ko build directory. - -.TP -/lib/modules/ -Location of installed kernels. +Important files and their corresponding paths can be located in the +stappaths (7) manual page. .SH SEE ALSO .IR stap (1), diff --git a/stap.1 b/stap.1 index 697ce324d..681e4e0c3 100644 --- a/stap.1 +++ b/stap.1 @@ -296,6 +296,24 @@ read from the cache, but resulting files from this run will still be written to the cache. This is meant as a troubleshooting aid when stap's cached behavior seems to be misbehaving. +.TP +.BI \-\-unprivileged +This option instructs \fIstap\fR to examine the script looking for constructs +which are not allowed for unprivileged users. Compilation fails if any such +constructs are used. +If this option is specified when using a compile server +(see \fI\-\-use\-server\fR), +the server will examine the script and, if compilation succeeds, the +server will cryptographically sign the resulting kernel module, certifying +that is it safe for use by unprivileged users. + +If \fI\-\-unprivileged\fR has not been specified, +\fI\-pN\fR has not been specified with N < 5, +and the invoking user not +\fIroot\fR, is not a member of the group \fIstapdev\fR, but is a member of the +group \fIstapusr\fR, then \fIstap\fR will automatically +add \fI\-\-unprivileged\fR to the options already specified. + .TP \fB\-\-use\-server \fR[\fIHOSTNAME\fR[\fI:PORT\fR] | \fIIP_ADDRESS\fR[\fI:PORT\fR] | \fICERT_SERIAL\fR] Specify compile\-server(s) to be used for compilation and/or in conjunction @@ -323,14 +341,24 @@ below). If a server is specified by host name or ip address, then an optional port number may be specified. This is useful for accessing servers which are not on the local network or to specify a particular server. +If \fI\-\-use\-server\fR has not been specified, +\fI\-pN\fR has not been specified with N < 5, +and the invoking user not \fIroot\fR, +is not a member of the group \fIstapdev\fR, but is a member of the group +\fIstapusr\fR, then \fIstap\fR will automatically +add \fI\-\-use\-server\fR to the options already specified. + .TP \fB\-\-use\-server\-on\-error \fR[\fByes\fR|\fBno\fR] Instructs stap to retry compilation of a script using a compile server if -compilation on the local host fails. -If this option is not specified or if no argument is provided, then the default -is \fIyes\fR. Compilation will not be retried for certain types of errors -(e.g. syntax errors) which would also occur during re\-compilation by a compile -server. One local compile server will be selected automatically for the +compilation on the local host fails in a manner which suggests that it might +succeed using a server. +If this option is not specified, the default is \fIno\fR. +If no argument is provided, then the default +is \fIyes\fR. Compilation will be retried for certain types of errors +(e.g. insufficient data or resources) which may not occur during +re\-compilation by a compile +server. Compile servers will be selected automatically for the re\-compilation attempt as if \fI\-\-use\-server\fR was specified with no arguments. -- 2.43.5