![]() You can read my original proposal on ubuntu-devel if you are interested: Permissions changed to 0750 (-rwxr-x-)ģ) Add a commented out '# kernel.dmesg_restrict = 0' to I propose that we restrict access to dmesg to users in group 'adm' like so:ġ) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.Ģ) Following changes to /bin/dmesg permissions in package 'util-linux' Is why my downstream proposal to Ubuntu contained the following: Users on Ubuntu are accustomed to running dmesg without any permissions, which Permissions for kern.log and syslog are for members of adm: $ grep -Rin "CONFIG_SECURITY_DMESG_RESTRICT" /boot/config-4.19.0-10-cloud-amd64 PRETTY_NAME="Debian GNU/Linux 10 (buster)"ĭMESG_RESTRICT is enabled, and my user is in group adm: Inconsistent with regular logging, which is only restricted to users in groupįor example, on a fresh Debian Buster system: Stretch, but the dmesg command is restricted to superuser only. The Debian community is interested in carrying some of my proposed patches toĭebian already has CONFIG_SECURITY_DMESG_RESTRICT enabled by default since I am currently working on a downstream effort to getĬONFIG_SECURITY_DMESG_RESTRICT enabled in Ubuntu, and I would like to see if Subject: Proposal: Allowing access to dmesg for users in group adm.Proposal: Allowing access to dmesg for users in group adm
0 Comments
Leave a Reply. |