Re: Proposal: Allowing access to dmesg for users in group adm

To: Matthew Ruffell <matthew.ruffell@canonical.com>
Cc: debian-devel@lists.debian.org
Subject: Re: Proposal: Allowing access to dmesg for users in group adm
From: Marco d'Itri <md@Linux.IT>
Date: Mon, 17 Aug 2020 13:42:34 +0200
Message-id: <[🔎] 20200817114234.GB718447@bongo.bofh.it>
Mail-followup-to: Matthew Ruffell <matthew.ruffell@canonical.com>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 11dbf6a5-57d1-af8e-ec93-554a31ceed4e@canonical.com>
References: <[🔎] 11dbf6a5-57d1-af8e-ec93-554a31ceed4e@canonical.com>

On Aug 17, Matthew Ruffell <matthew.ruffell@canonical.com> wrote:

> I propose that we restrict access to dmesg to users in group 'adm' like so:
> 
> 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
Which is already the default for Debian.

> 2) Following changes to /bin/dmesg permissions in package 'util-linux'
>     - Ownership changes to root:adm
>     - Permissions changed to 0750 (-rwxr-x---)
>     - Add cap_syslog capability to binary.
Looks good to me.

> 3) Add a commented out '# kernel.dmesg_restrict = 0' to
>    /etc/sysctl.d/10-kernel-hardening.conf
Debian does not have this file, so I am not sure if it should be 
introduced just for this.
And what would be the point of setting kernel.dmesg_restrict=0 al long 
as dmesg is still not world-executable?

-- 
ciao,
Marco

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Proposal: Allowing access to dmesg for users in group adm
  - From: The Wanderer <wanderer@fastmail.fm>

References:
- Proposal: Allowing access to dmesg for users in group adm
  - From: Matthew Ruffell <matthew.ruffell@canonical.com>

Prev by Date: Re: epoch bump for babl and gegl libraries
Next by Date: Re: Proposal: Allowing access to dmesg for users in group adm
Previous by thread: Re: Proposal: Allowing access to dmesg for users in group adm
Next by thread: Re: Proposal: Allowing access to dmesg for users in group adm
Index(es):
- Date
- Thread