Hi, here's a short discussion I had on #debian-kernel IRC channel with Ben Hutchings:
<lindi-> bwh: what about http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706817 ? it was technically broken during the freeze and but got unnoticed since I was testing with experimental kernels and didn't realize that wheezy kernel would change during freeze... <lindi-> bwh: or should I just use backports as new kernel versions are going to break things anyway? <bwh> But stap works OK as root, right? <bwh> (Why would anyone expect stap to not require root?) <lindi-> bwh: yes it works as root <bwh> Does it install some program setuid-root, or is that just an option? <lindi-> bwh: http://anonscm.debian.org/gitweb/?p=collab-maint/systemtap.git;a=blob;f=README.security <lindi-> bwh: "staprun is a setuid program. It holds on to the root privileges only for the least amount of time (as required to verify/load compiled kernel module files). It invokes only stapio, and only as the original (unprivileged) user. <bwh> OK that's not too crazy :-) <lindi-> bwh: and you need to be in the stapusr group to execute staprun <bwh> So I think this is worth fixing in stable but you should talk to the stable release team <lindi-> bwh: sure <lindi-> they might be bit busy right now though :) <lindi-> bwh: can I assume I can paste the above to the bug report? <bwh> lindi-: OK I backported commit c5f7c84bf1dcc515 now to systemtap 1.7. I'd like to propose this for stable proposed updates (http://wiki.debian.org/StableProposedUpdates) after some testing. Could somebody from systemtap upstream take a quick look at the backport just to make sure I didn't do anything silly? (In case you wonder, I remove the #ifdef HAVE_OPENAT lines to improve readability, we are guaranteed to have openat in wheezy.) Backported patch: http://lindi.iki.fi/lindi/systemtap/wheezy/PR14245-support-sys-kernel-debug-mounted-0700.patch Debdiff between old and new package: http://lindi.iki.fi/lindi/systemtap/wheezy/systemtap_1.7-1+deb7u1.debdiff.txt The directory also contains binaries for amd64 if somebody wants to test the packages: http://lindi.iki.fi/lindi/systemtap/wheezy/ -Timo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
