Re: Proposal: Allowing access to dmesg for users in group adm
On Mon, 2020-08-17 at 15:50 +1200, Matthew Ruffell wrote:
> I propose that we restrict access to dmesg to users in group 'adm' like so:
> 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
> 2) Following changes to /bin/dmesg permissions in package 'util-linux'
> - Ownership changes to root:adm
> - Permissions changed to 0750 (-rwxr-x---)
> - Add cap_syslog capability to binary.
> 3) Add a commented out '# kernel.dmesg_restrict = 0' to
That grants additional rights to the `adm` group that it did not have
before, for example to clear the dmesg buffer:
$ dmesg --clear
works after adding `cap_syslog` to the dmesg binary whereas it did not