Bug#847198: src:linux: dmesg should be allowed to print the kernel ring buffer for admins

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#847198: src:linux: dmesg should be allowed to print the kernel ring buffer for admins
From: Vincent Lefevre <vincent@vinc17.net>
Date: Tue, 6 Dec 2016 14:00:41 +0100
Message-id: <[🔎] 20161206130040.GA23813@cventin.lip.ens-lyon.fr>
Reply-to: Vincent Lefevre <vincent@vinc17.net>, 847198@bugs.debian.org

Package: src:linux
Severity: wishlist

In the past, admins could get dmesg output without running it as root,
but this is no longer possible:

  * security,printk: Enable SECURITY_DMESG_RESTRICT, preventing non-root users
    reading the kernel log by default (sysctl: kernel.dmesg_restrict)

(in changelog.linux.gz). It is good that normal users cannot read
the kernel log, but for admins (typically users in the adm group,
who can already read /var/log/kern.log, thus have access to the same
information), this is a regression.

Note: "journalctl -b" also gives kernel logs (among other logs).

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/12 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply to:

Prev by Date: Bug#847154: marked as done (linux-image-amd64: Disabling vsyscall interface may break docker run)
Next by Date: linux_4.9~rc8-1~exp1_multi.changes ACCEPTED into experimental, experimental
Previous by thread: linux_4.9~rc8-1~exp1_multi.changes is NEW
Next by thread: linux_4.9~rc8-1~exp1_multi.changes ACCEPTED into experimental, experimental
Index(es):
- Date
- Thread