Systemtap is an administrative tool. It exposes kernel internal
data structures and potentially private user information. See
the stap(1) manual page for additional information on safety and
security.
As a network server, stap-server should be activated with care in
order to limit the potential effects of bugs or mischevious
users. Consider the following prophylactic measures.
1 Run stap-server as an unprivileged user, never as root.
When invoked as a service (i.e. service stap-server ...),
each server is run, by default, as the user stap-server.
When invoked directly (i.e. stap-server ...), each server
is run, by default, as the invoking user. In each case,
another user may be selected by using the -u option on
invocation, by specifying STAP_USER=username in the global
configuration file or by specifying USER=username in an
individual server configuration file. The invoking user
must have authority to run processes as another user. See
CONFIGURATION.
The selected user must have write access to the server log
file. The location of the server log file may be changed
by setting LOG_FILE=path in the global configuration file.
See CONFIGURATION.
The selected user must have read/write access to the
directory containing the server status files. The
location of the server status files may be changed by
setting STAT_PATH=path in the global configuration file.
See CONFIGURATION.
The selected user must have read/write access to the
uprobes.ko build directory and its files.
Neither form of stap-server will run if the selected user
is root.
2 Run stap-server requests with resource limits that impose
maximum cpu time, file size, memory consumption, in order
to bound the effects of processing excessively large or
bogus inputs.
When the user running the server is stap-server, each
server request is run with limits specified in ~stap-
server/.systemtap/rc otherwise, no limits are imposed.
3 Run stap-server with a TMPDIR environment variable that
points to a separate and/or quota-enforced directory, in
order to prevent filling up of important filesystems.
The default TMPDIR is /tmp/.
4 Activate network firewalls to limit stap client
connections to relatively trustworthy networks.
For automatic selection of servers by clients, avahi must
be installed on both the server and client hosts and mDNS
messages must be allowed through the firewall.
The systemtap compile server and its related utilities use the
Secure Socket Layer (SSL) as implemented by Network Security
Services (NSS) for network security. NSS is also used for the
generation and management of certificates. The related
certificate databases must be protected in order to maintain the
security of the system. Use of the utilities provided will help
to ensure that the proper protection is maintained. The systemtap
client will check for proper access permissions before making use
of any certificate database.
