On Mon, Aug 17, 2020 at 03:50:37PM +1200, Matthew Ruffell wrote: > Hello! > > I am currently working on a downstream effort to get > CONFIG_SECURITY_DMESG_RESTRICT enabled in Ubuntu, and I would like to see if > the Debian community is interested in carrying some of my proposed patches to > Ubuntu. > > Debian already has CONFIG_SECURITY_DMESG_RESTRICT enabled by default since > Stretch, but the dmesg command is restricted to superuser only. This is > inconsistent with regular logging, which is only restricted to users in group > "adm". > > For example, on a fresh Debian Buster system: > > $ head -1 /etc/os-release > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > > DMESG_RESTRICT is enabled, and my user is in group adm: > > $ grep -Rin "CONFIG_SECURITY_DMESG_RESTRICT" > /boot/config-4.19.0-10-cloud-amd64 > 3130:CONFIG_SECURITY_DMESG_RESTRICT=y > $ groups > mruffell adm dip video plugdev > > Permissions for kern.log and syslog are for members of adm: > > $ ls -l /var/log/kern.log > -rw-r----- 1 root adm 39414 Aug 11 21:44 /var/log/kern.log > $ ls -l /var/log/syslog > -rw-r----- 1 root adm 60744 Aug 11 21:56 /var/log/syslog > > I can read /var/log/kern.log and journalctl: > > $ head -2 /var/log/kern.log > Aug 11 21:44:44 debian kernel: [ 0.000000] Linux version > 4.19.0-10-cloud-amd64 (debian-kernel at lists.debian.org) (gcc version 8.3.0 > (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24) > Aug 11 21:44:44 debian kernel: [ 0.000000] Command line: > BOOT_IMAGE=/boot/vmlinuz-4.19.0-10-cloud-amd64 > root=UUID=fb69ad1f-43c0-40a4-8ec0-bb07f1175c82 ro console=tty0 > console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop > scsi_mod.use_blk_mq=Y > > $ journalctl -t kernel | head -3 > -- Logs begin at Tue 2020-08-11 21:44:43 UTC, end at Tue 2020-08-11 22:12:30 > UTC. -- > Aug 11 21:44:43 debian kernel: Linux version 4.19.0-10-cloud-amd64 > (debian-kernel at lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 > SMP Debian 4.19.132-1 (2020-07-24) > Aug 11 21:44:43 debian kernel: Command line: > BOOT_IMAGE=/boot/vmlinuz-4.19.0-10-cloud-amd64 > root=UUID=fb69ad1f-43c0-40a4-8ec0-bb07f1175c82 ro console=tty0 > console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop > scsi_mod.use_blk_mq=Y > > And yet, I cannot access dmesg: > > $ dmesg > dmesg: read kernel buffer failed: Operation not permitted > $ ls -l /bin/dmesg > -rwxr-xr-x 1 root root 84288 Jan 10 2019 /bin/dmesg > > Users on Ubuntu are accustomed to running dmesg without any permissions, which > is why my downstream proposal to Ubuntu contained the following: > > I propose that we restrict access to dmesg to users in group 'adm' like so: > > 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel. > 2) Following changes to /bin/dmesg permissions in package 'util-linux' > - Ownership changes to root:adm > - Permissions changed to 0750 (-rwxr-x---) > - Add cap_syslog capability to binary. > 3) Add a commented out '# kernel.dmesg_restrict = 0' to > /etc/sysctl.d/10-kernel-hardening.conf > > You can read my original proposal on ubuntu-devel if you are interested: > https://lists.ubuntu.com/archives/ubuntu-devel/2020-June/041063.html > > Would the Debian community also be interested in the changes to the dmesg > binary in package util-linux? > > An example debdiff of the suggested changes which implement 2) is below: > https://launchpadlibrarian.net/492806625/lp1886112_util-linux_groovy.debdiff > > This would allow any user in group adm to be able to run dmesg without > becoming superuser, and see the same information already available in > /var/log/kern.log, /var/log/syslog and journalctl.
Correct. > Please let me know if you are interested, Yes I'm interested in this feature > as it enhances user experience when running dmesg, Yes, it does feel strange to prefix a readonly actio as dmesg with sudo. > and there would be less delta between Debian and Ubuntu > util-linux packages to maintain. That is a nice extra > Thanks, > Matthew Ruffell Groeten Geert Stappers DD -- Silence is hard to parse
