Man Linux: Main Page and Category List


       stap-authorize-signing-cert - systemtap signing authorization utility


       stap-authorize-signing-cert CERTFILE [ DIRNAME ]


       The  staprun program will load modules for members of the group stapusr
       if they are signed by a trusted signer. A trusted signer is  usually  a
       systemtap   compile   server   which  signs  modules  when  the  client
       (stap-client) specifies the --unprivileged option.

       The  trustworthiness  of  a  given  signer  can   not   be   determined
       automatically without a trusted certificate authority issuing systemtap
       signing certificates. This is not practical in  everyday  use  and  so,
       staprun  must  authenticate servers against its own database of trusted
       signers. In this context, establishing a given signer as trusted  means
       adding  that  signer's  certificate  to  staprun's  database of trusted

       The  stap-authorize-signing-cert  program  adds   the   given   signing
       certificate  to  the  given  certificate database, making that signer a
       trusted server for staprun when using that database.


       The stap-authorize-signing-cert program accepts two arguments:

              This is the name of the file containing the certificate  of  the
              new  trusted signer.  For systemtap compile servers, this is the
              file  named  stap.cert  which  can  be  found  in  the  server's
              certificate  database.   On the server host, for servers started
              by the stap-server  service,  this  database  can  be  found  in
              /var/lib/stap-server/.systemtap/ssl/server/.  For servers run by
              other  non-root  users,  this   database   can   be   found   in
              $HOME/.systemtap/ssl/server/.   For  root users (EUID=0), it can
              be found in /etc/systemtap/ssl/server.

              This optional argument is the name of the  directory  containing
              the  certificate  database  to  which  the  certificate is to be
              added. If not specified, the default is /etc/systemtap/staprun/.
              That  is, the default result is that all users on the local host
              will trust this signer. Note that this default directory is only
              writable by root.


       Systemtap  is  an administrative tool.  It exposes kernel internal data
       structures and potentially private user information.  See  the  stap(1)
       manual page for additional information on safety and security.

       Systemtap  uses  Network Security Services (NSS) for module signing and
       verification. The NSS tool certutil  is  used  for  the  generation  of
       certificates.  The  related  certificate databases must be protected in
       order to maintain the security of the system.   Use  of  the  utilities
       provided  will help to ensure that the proper protection is maintained.
       staprun will check for proper access permissions before making  use  of
       any certificate database.


              staprun's trusted signer certificate database.

              Signing  certificate  for  servers  started  by  the stap-server


       stap(1), staprun(8), stap-server(8), stap-client(8), NSS, certutil


       Use the Bugzilla link of the project web  page  or  our  mailing  list., <>.