Re: Proposal: Allowing access to dmesg for users in group adm
On Mon, Aug 17, 2020 at 03:50:37PM +1200, Matthew Ruffell wrote:
> Hello!
>
> I am currently working on a downstream effort to get
> CONFIG_SECURITY_DMESG_RESTRICT enabled in Ubuntu, and I would like to see if
> the Debian community is interested in carrying some of my proposed patches to
> Ubuntu.
>
> Debian already has CONFIG_SECURITY_DMESG_RESTRICT enabled by default since
> Stretch, but the dmesg command is restricted to superuser only. This is
> inconsistent with regular logging, which is only restricted to users in group
> "adm".
>
> For example, on a fresh Debian Buster system:
>
> $ head -1 /etc/os-release
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
>
> DMESG_RESTRICT is enabled, and my user is in group adm:
>
> $ grep -Rin "CONFIG_SECURITY_DMESG_RESTRICT" /boot/config-4.19.0-10-cloud-amd64
> 3130:CONFIG_SECURITY_DMESG_RESTRICT=y
> $ groups
> mruffell adm dip video plugdev
>
> Permissions for kern.log and syslog are for members of adm:
>
> $ ls -l /var/log/kern.log
> -rw-r----- 1 root adm 39414 Aug 11 21:44 /var/log/kern.log
> $ ls -l /var/log/syslog
> -rw-r----- 1 root adm 60744 Aug 11 21:56 /var/log/syslog
>
> I can read /var/log/kern.log and journalctl:
>
> $ head -2 /var/log/kern.log
> Aug 11 21:44:44 debian kernel: [ 0.000000] Linux version 4.19.0-10-cloud-amd64 (debian-kernel at lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
> Aug 11 21:44:44 debian kernel: [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-10-cloud-amd64 root=UUID=fb69ad1f-43c0-40a4-8ec0-bb07f1175c82 ro console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop scsi_mod.use_blk_mq=Y
>
> $ journalctl -t kernel | head -3
> -- Logs begin at Tue 2020-08-11 21:44:43 UTC, end at Tue 2020-08-11 22:12:30 UTC. --
> Aug 11 21:44:43 debian kernel: Linux version 4.19.0-10-cloud-amd64 (debian-kernel at lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
> Aug 11 21:44:43 debian kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-10-cloud-amd64 root=UUID=fb69ad1f-43c0-40a4-8ec0-bb07f1175c82 ro console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop scsi_mod.use_blk_mq=Y
>
> And yet, I cannot access dmesg:
>
> $ dmesg
> dmesg: read kernel buffer failed: Operation not permitted
> $ ls -l /bin/dmesg
> -rwxr-xr-x 1 root root 84288 Jan 10 2019 /bin/dmesg
>
> Users on Ubuntu are accustomed to running dmesg without any permissions, which
> is why my downstream proposal to Ubuntu contained the following:
>
> I propose that we restrict access to dmesg to users in group 'adm' like so:
>
> 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
> 2) Following changes to /bin/dmesg permissions in package 'util-linux'
> - Ownership changes to root:adm
> - Permissions changed to 0750 (-rwxr-x---)
> - Add cap_syslog capability to binary.
> 3) Add a commented out '# kernel.dmesg_restrict = 0' to
> /etc/sysctl.d/10-kernel-hardening.conf
>
> You can read my original proposal on ubuntu-devel if you are interested:
> https://lists.ubuntu.com/archives/ubuntu-devel/2020-June/041063.html
>
> Would the Debian community also be interested in the changes to the dmesg
> binary in package util-linux?
>
> An example debdiff of the suggested changes which implement 2) is below:
> https://launchpadlibrarian.net/492806625/lp1886112_util-linux_groovy.debdiff
>
> This would allow any user in group adm to be able to run dmesg without
> becoming superuser, and see the same information already available in
> /var/log/kern.log, /var/log/syslog and journalctl.
Correct.
> Please let me know if you are interested,
Yes I'm interested in this feature
> as it enhances user experience when running dmesg,
Yes, it does feel strange to prefix a readonly actio as dmesg
with sudo.
> and there would be less delta between Debian and Ubuntu
> util-linux packages to maintain.
That is a nice extra
> Thanks,
> Matthew Ruffell
Groeten
Geert Stappers
DD
--
Silence is hard to parse
Reply to: