Proposal: Allowing access to dmesg for users in group adm
Hello!
I am currently working on a downstream effort to get
CONFIG_SECURITY_DMESG_RESTRICT enabled in Ubuntu, and I would like to see if
the Debian community is interested in carrying some of my proposed patches to
Ubuntu.
Debian already has CONFIG_SECURITY_DMESG_RESTRICT enabled by default since
Stretch, but the dmesg command is restricted to superuser only. This is
inconsistent with regular logging, which is only restricted to users in group
"adm".
For example, on a fresh Debian Buster system:
$ head -1 /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
DMESG_RESTRICT is enabled, and my user is in group adm:
$ grep -Rin "CONFIG_SECURITY_DMESG_RESTRICT" /boot/config-4.19.0-10-cloud-amd64
3130:CONFIG_SECURITY_DMESG_RESTRICT=y
$ groups
mruffell adm dip video plugdev
Permissions for kern.log and syslog are for members of adm:
$ ls -l /var/log/kern.log
-rw-r----- 1 root adm 39414 Aug 11 21:44 /var/log/kern.log
$ ls -l /var/log/syslog
-rw-r----- 1 root adm 60744 Aug 11 21:56 /var/log/syslog
I can read /var/log/kern.log and journalctl:
$ head -2 /var/log/kern.log
Aug 11 21:44:44 debian kernel: [ 0.000000] Linux version 4.19.0-10-cloud-amd64 (debian-kernel at lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
Aug 11 21:44:44 debian kernel: [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-10-cloud-amd64 root=UUID=fb69ad1f-43c0-40a4-8ec0-bb07f1175c82 ro console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop scsi_mod.use_blk_mq=Y
$ journalctl -t kernel | head -3
-- Logs begin at Tue 2020-08-11 21:44:43 UTC, end at Tue 2020-08-11 22:12:30 UTC. --
Aug 11 21:44:43 debian kernel: Linux version 4.19.0-10-cloud-amd64 (debian-kernel at lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
Aug 11 21:44:43 debian kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-10-cloud-amd64 root=UUID=fb69ad1f-43c0-40a4-8ec0-bb07f1175c82 ro console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop scsi_mod.use_blk_mq=Y
And yet, I cannot access dmesg:
$ dmesg
dmesg: read kernel buffer failed: Operation not permitted
$ ls -l /bin/dmesg
-rwxr-xr-x 1 root root 84288 Jan 10 2019 /bin/dmesg
Users on Ubuntu are accustomed to running dmesg without any permissions, which
is why my downstream proposal to Ubuntu contained the following:
I propose that we restrict access to dmesg to users in group 'adm' like so:
1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
2) Following changes to /bin/dmesg permissions in package 'util-linux'
- Ownership changes to root:adm
- Permissions changed to 0750 (-rwxr-x---)
- Add cap_syslog capability to binary.
3) Add a commented out '# kernel.dmesg_restrict = 0' to
/etc/sysctl.d/10-kernel-hardening.conf
You can read my original proposal on ubuntu-devel if you are interested:
https://lists.ubuntu.com/archives/ubuntu-devel/2020-June/041063.html
Would the Debian community also be interested in the changes to the dmesg
binary in package util-linux?
An example debdiff of the suggested changes which implement 2) is below:
https://launchpadlibrarian.net/492806625/lp1886112_util-linux_groovy.debdiff
This would allow any user in group adm to be able to run dmesg without
becoming superuser, and see the same information already available in
/var/log/kern.log, /var/log/syslog and journalctl.
Please let me know if you are interested, as it enhances user experience
when running dmesg, and there would be less delta between Debian and Ubuntu
util-linux packages to maintain.
Thanks,
Matthew Ruffell
Reply to: