Re: Proposal: Allowing access to dmesg for users in group adm

2020-08-20 Thread Florian Weimer
* Nicholas D. Steeves: > Given that our default sudoers (and afaik Ubuntu's) provides the > following rule > > %sudo ALL=(ALL:ALL) ALL > > would it be reasonable to modify this proposal to use the "sudo" rather > than "adm" group, given that we don't yet have a default mechanism to > enforce a

Re: Proposal: Allowing access to dmesg for users in group adm

2020-08-18 Thread Nicholas D Steeves
Hi, Ansgar writes: > On Mon, 2020-08-17 at 15:50 +1200, Matthew Ruffell wrote: >> I propose that we restrict access to dmesg to users in group 'adm' like so: >> >> 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel. >> 2) Following changes to /bin/dmesg permissions in package 'util-linux' >>

Re: Proposal: Allowing access to dmesg for users in group adm

2020-08-17 Thread Ansgar
On Mon, 2020-08-17 at 15:50 +1200, Matthew Ruffell wrote: > I propose that we restrict access to dmesg to users in group 'adm' like so: > > 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel. > 2) Following changes to /bin/dmesg permissions in package 'util-linux' > - Ownership changes to root:

Re: Proposal: Allowing access to dmesg for users in group adm

2020-08-17 Thread The Wanderer
On 2020-08-17 at 07:47, Bastian Blank wrote: > Hi > > On Mon, Aug 17, 2020 at 03:50:37PM +1200, Matthew Ruffell wrote: > >> 2) Following changes to /bin/dmesg permissions in package >> 'util-linux' >> - Ownership changes to root:adm >> - Permissions changed to 0750 (-rwxr-x---) > > You

Re: Proposal: Allowing access to dmesg for users in group adm

2020-08-17 Thread Bastian Blank
Hi On Mon, Aug 17, 2020 at 03:50:37PM +1200, Matthew Ruffell wrote: > 2) Following changes to /bin/dmesg permissions in package 'util-linux' > - Ownership changes to root:adm > - Permissions changed to 0750 (-rwxr-x---) You mean 0754? > - Add cap_syslog capability to binary. Can som

Re: Proposal: Allowing access to dmesg for users in group adm

2020-08-17 Thread The Wanderer
On 2020-08-17 at 07:42, Marco d'Itri wrote: > And what would be the point of setting kernel.dmesg_restrict=0 al long > as dmesg is still not world-executable? As far as I'm aware, it is: $ dlocate `which dmesg` util-linux: /bin/dmesg $ apt-cache policy util-linux util-linux: Installed: 2.36-

Re: Proposal: Allowing access to dmesg for users in group adm

2020-08-17 Thread Marco d'Itri
On Aug 17, Matthew Ruffell wrote: > I propose that we restrict access to dmesg to users in group 'adm' like so: > > 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel. Which is already the default for Debian. > 2) Following changes to /bin/dmesg permissions in package 'util-linux' > - Owners

Re: Proposal: Allowing access to dmesg for users in group adm

2020-08-16 Thread Geert Stappers
On Mon, Aug 17, 2020 at 03:50:37PM +1200, Matthew Ruffell wrote: > Hello! > > I am currently working on a downstream effort to get > CONFIG_SECURITY_DMESG_RESTRICT enabled in Ubuntu, and I would like to see if > the Debian community is interested in carrying some of my proposed patches to > Ubunt

Proposal: Allowing access to dmesg for users in group adm

2020-08-16 Thread Matthew Ruffell
Hello! I am currently working on a downstream effort to get CONFIG_SECURITY_DMESG_RESTRICT enabled in Ubuntu, and I would like to see if the Debian community is interested in carrying some of my proposed patches to Ubuntu. Debian already has CONFIG_SECURITY_DMESG_RESTRICT enabled by default sinc