From a2422e707214a425e4e10ac5b7c39fc5ae4dea56 Mon Sep 17 00:00:00 2001 From: Dave Brolley Date: Tue, 14 Apr 2009 12:33:28 -0400 Subject: 2009-04-14 Dave Brolley * translate.cxx (c_unparser::emit_unprivileged_user_check): Generate code to check _stp_unprivileged_user. * testsuite/lib/systemtap.exp (setup_server): Copy stap-env to $net_path. * runtime/transport/transport.c: Set up _stp_unprivileged_user. * runtime/staprun/staprun_funcs.c (check_signature): Distiguish among verification failure due to errors, tampering, untrusted signer. (check_permissions): Likewise. (check_groups): Set unprivileged_user. * runtime/staprun/staprun.c (insert_stap_module): Set _stp_unprivileged_user. * runtime/staprun/modverify.h (MODULE_OK): #define it. (MODULE_UNTRUSTED,MODULE_CHECK_ERROR,MODULE_ALTERED): Likewise. * runtime/staprun/modverify.c (modverify.h): #include it. (verify_it): Distiguish among verification failure due to errors, tampering, untrusted signer. (verify_module): Likewise. * runtime/staprun/common.c (unprivileged_user): Define it. * runtime/staprun/staprun.h (unprivileged_user): Declare it. * cache.cxx (get_from_cache): Get the module signature file. * stap-authorize-server-cert: Source `dirname $0`/stap-env. * stap-authorize-signing-cert: Likewise. * stap-client: Likewise. * stap-find-or-start-server: Likewise. * stap-find-servers: Likewise. * stap-gen-cert: Likewise. * stap-server: Likewise. * stap-serverd: Likewise. * stap-start-server: Likewise. --- runtime/staprun/staprun_funcs.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'runtime/staprun/staprun_funcs.c') diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c index 020bb312..6e72fd72 100644 --- a/runtime/staprun/staprun_funcs.c +++ b/runtime/staprun/staprun_funcs.c @@ -20,6 +20,7 @@ #include #include #include +#include extern long init_module(void *, unsigned long, const char *); @@ -225,18 +226,18 @@ check_signature(void) /* Use realpath() to canonicalize the module path. */ if (realpath(modpath, module_realpath) == NULL) { perr("Unable to canonicalize signature path \"%s\"", modpath); - return -1; + return MODULE_CHECK_ERROR; } /* Now add the .sgn suffix to get the signature file name. */ if (strlen (module_realpath) > PATH_MAX - 4) { err("Path \"%s\" is too long.", modpath); - return -1; + return MODULE_CHECK_ERROR; } sprintf (signature_realpath, "%s.sgn", module_realpath); - dbug(2, "verify_module (%s, %s)\n", module_realpath, signature_realpath); rc = verify_module (module_realpath, signature_realpath); + dbug(2, "verify_module returns %d\n", rc); return rc; @@ -419,8 +420,10 @@ check_groups (void) gid = stapusr_gid; } - if (gid != stapusr_gid) + if (gid != stapusr_gid) { + unprivileged_user = 1; return 0; + } } /* At this point the user is only a member of the 'stapusr' @@ -450,6 +453,14 @@ int check_permissions(void) int check_groups_rc; int check_signature_rc = 0; +#if HAVE_NSS + /* Attempt to verify the module against its signature. Return failure + if the module has been tampered with (altered). */ + check_signature_rc = check_signature (); + if (check_signature_rc == MODULE_ALTERED) + return 0; +#endif + /* If we're root, we can do anything. */ if (getuid() == 0) return 1; @@ -459,15 +470,17 @@ int check_permissions(void) if (check_groups_rc == 1) return 1; -#if HAVE_NSS /* The user is an ordinary user. If the module has been signed with * a "blessed" certificate and private key, then we will load it for * anyone. */ - check_signature_rc = check_signature (); - if (check_signature_rc == 1) +#if HAVE_NSS + if (check_signature_rc == MODULE_OK) return 1; + assert (check_signature_rc == MODULE_UNTRUSTED || check_signature_rc == MODULE_CHECK_ERROR); #endif + /* We are an ordinary user and the module was not signed by a trusted + signer. */ err("ERROR: You are trying to run stap as a normal user.\n" "You should either be root, or be part of either " "group \"stapdev\" or group \"stapusr\".\n"); -- cgit