2009-04-14 Dave Brolley <brolley@redhat.com>

	* translate.cxx (c_unparser::emit_unprivileged_user_check): Generate
	code to check _stp_unprivileged_user.
	* testsuite/lib/systemtap.exp (setup_server): Copy stap-env to $net_path.
	* runtime/transport/transport.c: Set up _stp_unprivileged_user.
	* runtime/staprun/staprun_funcs.c (check_signature): Distiguish among
	verification failure due to errors, tampering, untrusted signer.
	(check_permissions): Likewise.
	(check_groups): Set unprivileged_user.
	* runtime/staprun/staprun.c (insert_stap_module): Set _stp_unprivileged_user.
	* runtime/staprun/modverify.h (MODULE_OK): #define it.
	(MODULE_UNTRUSTED,MODULE_CHECK_ERROR,MODULE_ALTERED): Likewise.
	* runtime/staprun/modverify.c (modverify.h): #include it.
	(verify_it): Distiguish among verification failure due to errors,
	tampering, untrusted signer.
	(verify_module): Likewise.
	* runtime/staprun/common.c (unprivileged_user): Define it.
	* runtime/staprun/staprun.h (unprivileged_user): Declare it.
	* cache.cxx (get_from_cache): Get the module signature file.
	* stap-authorize-server-cert: Source `dirname $0`/stap-env.
	* stap-authorize-signing-cert: Likewise.
	* stap-client: Likewise.
	* stap-find-or-start-server: Likewise.
	* stap-find-servers: Likewise.
	* stap-gen-cert: Likewise.
	* stap-server: Likewise.
	* stap-serverd: Likewise.
	* stap-start-server: Likewise.

1 files changed, 20 insertions, 7 deletions

diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c
index 020bb312..6e72fd72 100644
--- a/runtime/staprun/staprun_funcs.c
+++ b/runtime/staprun/staprun_funcs.c
@@ -20,6 +20,7 @@
 #include <sys/utsname.h>
 #include <grp.h>
 #include <pwd.h>
+#include <assert.h>
 
 extern long init_module(void *, unsigned long, const char *);
 
@@ -225,18 +226,18 @@ check_signature(void)
   /* Use realpath() to canonicalize the module path. */
   if (realpath(modpath, module_realpath) == NULL) {
     perr("Unable to canonicalize signature path \"%s\"", modpath);
-    return -1;
+    return MODULE_CHECK_ERROR;
   }
 
   /* Now add the .sgn suffix to get the signature file name.  */
   if (strlen (module_realpath) > PATH_MAX - 4) {
     err("Path \"%s\" is too long.", modpath);
-    return -1;
+    return MODULE_CHECK_ERROR;
   }
   sprintf (signature_realpath, "%s.sgn", module_realpath);
 
-  dbug(2, "verify_module (%s, %s)\n", module_realpath, signature_realpath);
   rc = verify_module (module_realpath, signature_realpath);
+
   dbug(2, "verify_module returns %d\n", rc);
 
   return rc;
@@ -419,8 +420,10 @@ check_groups (void)
 				gid = stapusr_gid;
 		}
 
-		if (gid != stapusr_gid)
+		if (gid != stapusr_gid) {
+			unprivileged_user = 1;
 			return 0;
+		}
 	}
 
 	/* At this point the user is only a member of the 'stapusr'
@@ -450,6 +453,14 @@ int check_permissions(void)
 	int check_groups_rc;
 	int check_signature_rc = 0;
 
+#if HAVE_NSS
+	/* Attempt to verify the module against its signature. Return failure
+	   if the module has been tampered with (altered).  */
+	check_signature_rc = check_signature ();
+	if (check_signature_rc == MODULE_ALTERED)
+		return 0;
+#endif
+
 	/* If we're root, we can do anything. */
 	if (getuid() == 0)
 		return 1;
@@ -459,15 +470,17 @@ int check_permissions(void)
 	if (check_groups_rc == 1)
 		return 1;
 
-#if HAVE_NSS
 	/* The user is an ordinary user. If the module has been signed with
 	 * a "blessed" certificate and private key, then we will load it for
 	 * anyone.  */
-	check_signature_rc = check_signature ();
-	if (check_signature_rc == 1)
+#if HAVE_NSS
+	if (check_signature_rc == MODULE_OK)
 		return 1;
+	assert (check_signature_rc == MODULE_UNTRUSTED || check_signature_rc == MODULE_CHECK_ERROR);
 #endif
 
+	/* We are an ordinary user and the module was not signed by a trusted
+	   signer.  */
 	err("ERROR: You are trying to run stap as a normal user.\n"
 	    "You should either be root, or be part of either "
 	    "group \"stapdev\" or group \"stapusr\".\n");