Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   stap-server    ( 8 )

управление сервером компиляции systemtap (systemtap compile server management)

SERVER AUTHENTICATION

The security of the SSL network connection between the client and server depends on the proper management of server certificates.

The trustworthiness of a given systemtap compile server can not be determined automatically without a trusted certificate authority issuing systemtap compile server certificates. This is not practical in everyday use and so, clients must authenticate servers against their own database of trusted server certificates. In this context, establishing a given server as trusted by a given client means adding that server's certificate to the client's database of trusted servers.

For the stap-server initscript, on the local host, this is handled automatically. When the systemtap-server package is installed, the server's certificate for the default user (stap-server) is automatically generated and installed. This means that servers started by the stap-server initscript, with the default user, are automatically trusted by clients on the local host, both as an SSL peer and as a systemtap module signer.

Furthermore, when stap is invoked by an unprivileged user (not root, not a member of the group stapdev, but a member of the group stapusr and possibly the group stapsys), the options --use-server and --privilege are automatically added to the specified options. This means that unprivileged users on the local host can use a server on the local host in unprivileged mode with no further setup or options required. Normal users (those in none of the SystemTap groups) can also use compile- servers through the --use-server and --privilege options. But they will of course be unable to load the module (the -p4 option can be used to stop short of loading).

In order to use a server running on another host, that server's certificate must be installed on the client's host. See the --trust-servers option in the stap(1) manual page for more details and README.unprivileged in the systemtap sources for more details.