Alex, Alex Vong 写道:
I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to prevent unprivileged users from reading the kernel ring buffer (since itcould expose sensitive information about the system).Debian does this. I don't know about other distros.
I do this on all my Guix Systems by default; sounds good to me!Let's do it by setting CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel configuration: it changes the default /proc/sys/kernel/dmesg_restrict from 0 to 1, but still allows changing it later (I tried).
No overhead, no service whose only job is to flip an unwanted bit, no cmdline cruft.
Kind regards, T G-R
signature.asc
Description: PGP signature
