2007-08-14 David Smith <dsmith@redhat.com>

	Merge from setuid-branch.  Changes also by Martin Hunt
	<hunt@redhat.com>.

	* Makefile.am: Added staprun_funcs.c and cap.c to
	staprun_SOURCES.  Added -lcap to staprun_LDADD.  Removed
	stp_check reference. Added stapio program.  Staprun is now
	setuid.
	* Makefile.in: Rebuilt.

	* configure.ac: Version increase to 0.6 and checks for libcap
	availability.  Removed stp_check reference.
	* configure: Regenerated.
	* stp_check.in: Removed.

	* systemtap.spec.in: Version increase to 0.6-1 and added
	BuildReq for libcap-devl (and removed sudo requirement).
	Added %pre script to create new groups.  Staprun is now
	setuid.

	* NEWS: Added info on new security model.
	* INTERNALS: Removed sudo reference.

	* README.security: New file.

	* main.cxx (main): Make sure module name isn't too long.
	* hash.cxx: Moved MODULE_NAME_LEN define to hash.h.
	* hash.h: Moved MODULE_NAME_LEN define here from hash.cxx.

	* buildrun.cxx (run_pass): No longer runs staprun with "sudo".

	* stap.1.in: Removed sudo references and added information about
	the stapdev/stapusr groups.
	* staprun.8.in: Added information about module detaching and
	attaching.  Removed sudo references and added information
	about the stapdev/stapusr groups.  Removed reference to
	staprun needing to be run as root.  Removed reference to
	removed '-u USERNAME' option.

	* .cvsignore: Removed stp_check and added stapio and stap_merge.

1 files changed, 33 insertions, 10 deletions

diff --git a/stap.1.in b/stap.1.in
index a68a030b..85ff8266 100644
--- a/stap.1.in
+++ b/stap.1.in
@@ -754,7 +754,9 @@ Any run-time error encountered by the probe handlers, such as running
 out of memory, division by zero, exceeding nesting or runtime limits,
 results in a soft error indication.  Soft errors in excess of
 MAXERRORS block of all subsequent probes, and terminate the session.
-Finally, staprun unloads the module, and cleans up.
+Finally,
+.I staprun
+unloads the module, and cleans up.
 
 .SH EXAMPLES
 See the 
@@ -773,20 +775,42 @@ directory, which may be periodically cleaned/erased by the user.
 
 .SH SAFETY AND SECURITY
 Systemtap is an administrative tool.  It exposes kernel internal data
-structures and potentially private user information.  It acquires root
-privileges to actually run the kernel objects it builds using the
-.IR sudo
-command applied to the
+structures and potentially private user information.
+It acquires
+either root privileges
+
+To actually run the kernel objects it builds, a user must be one of
+the following:
+.IP \(bu 4
+the root user;
+.IP \(bu 4
+a member of the
+.I stapdev
+group; or
+.IP \(bu 4
+a member of the
+.I stapusr
+group.  Members of the
+.I stapusr
+group can only use modules located in
+the /lib/modules/VERSION/systemtap directory.  This directory
+must be owned by root and not be world writable.
+.PP
+The kernel modules generated by
+.I stap
+program are run by the
 .IR staprun
 program.  The latter is a part of the Systemtap package, dedicated to
 module loading and unloading (but only in the white zone), and
 kernel-to-user data transfer.  Since 
 .IR staprun
 does not perform any additional security checks on the kernel objects
-it is given, it would be unwise for a system administrator to give
-even targeted
-.IR sudo
-privileges to untrusted users.
+it is given, it would be unwise for a system administrator to add
+untrusted users to the 
+.I stapdev
+or
+.I stapusr
+groups.
 .PP
 The translator asserts certain safety constraints.  It aims to ensure
 that no handler routine can run for very long, allocate memory,
@@ -897,7 +921,6 @@ unloading.
 .IR stapex (5),
 .IR lket (5),
 .IR awk (1),
-.IR sudo (8),
 .IR gdb (1)
 
 .SH BUGS