Comment 7 for bug 677226

Unfortunately, relying on build time permission setting is insufficient; dh_fixperms removes the setuid bit and converts everything to root ownership. In order to fix it to be owned, we need to do dpkg-statoverride in the postinst (as well as tweak the dh_fixperms_override step in the debian rules file), like so:

diff -Nru systemtap-1.3/debian/rules systemtap-1.3/debian/rules
--- systemtap-1.3/debian/rules 2010-08-06 11:34:25.000000000 -0700
+++ systemtap-1.3/debian/rules 2010-11-19 15:26:42.000000000 -0800
@@ -87,7 +87,7 @@

 override_dh_fixperms:
  dh_fixperms
- chmod 4755 debian/systemtap-runtime/usr/bin/staprun
+ chmod 4750 debian/systemtap-runtime/usr/bin/staprun

 override_dh_installchangelogs:
          dh_installchangelogs debian/changelog
diff -Nru systemtap-1.3/debian/systemtap-runtime.postinst systemtap-1.3/debian/systemtap-runtime.postinst
--- systemtap-1.3/debian/systemtap-runtime.postinst 2010-08-06 11:34:25.000000000 -0700
+++ systemtap-1.3/debian/systemtap-runtime.postinst 2010-11-19 15:30:31.000000000 -0800
@@ -12,6 +12,11 @@
   echo "Adding stapusr group..."
   addgroup --quiet --system stapusr || true
  fi
+ # Fixup staprun binary for new group 'stapusr'.
+ if [ -x /usr/sbin/dpkg-statoverride ] &&
+ ! dpkg-statoverride --list /usr/bin/staprun > /dev/null ; then
+ dpkg-statoverride --update --add root stapusr 4750 /usr/bin/staprun
+ fi
  ;;
 abort-upgrade|abort-remove|abort-deconfigure)
  ;;

I've incorporate this into packages that I've uploaded to the ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages and verified that the permissions and ownership are such that only users in the stapusr group (as well as root) can run staprun, and that the upstream patch addresses Tavis' example cases:

   $ staprun [module_to_remove]

and

  $ MODPROBE_OPTIONS="--dirname /tmp" staprun -u whatever

Thanks.