* Nicholas D. Steeves:
> Given that our default sudoers (and afaik Ubuntu's) provides the
> following rule
>
> %sudo ALL=(ALL:ALL) ALL
>
> would it be reasonable to modify this proposal to use the "sudo" rather
> than "adm" group, given that we don't yet have a default mechanism to
> enforce a
Hi,
Ansgar writes:
> On Mon, 2020-08-17 at 15:50 +1200, Matthew Ruffell wrote:
>> I propose that we restrict access to dmesg to users in group 'adm' like so:
>>
>> 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
>> 2) Following changes to /bin/dmesg permissions in package 'util-linux'
>>
On Mon, 2020-08-17 at 15:50 +1200, Matthew Ruffell wrote:
> I propose that we restrict access to dmesg to users in group 'adm' like so:
>
> 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
> 2) Following changes to /bin/dmesg permissions in package 'util-linux'
> - Ownership changes to root:
On 2020-08-17 at 07:47, Bastian Blank wrote:
> Hi
>
> On Mon, Aug 17, 2020 at 03:50:37PM +1200, Matthew Ruffell wrote:
>
>> 2) Following changes to /bin/dmesg permissions in package
>> 'util-linux'
>> - Ownership changes to root:adm
>> - Permissions changed to 0750 (-rwxr-x---)
>
> You
Hi
On Mon, Aug 17, 2020 at 03:50:37PM +1200, Matthew Ruffell wrote:
> 2) Following changes to /bin/dmesg permissions in package 'util-linux'
> - Ownership changes to root:adm
> - Permissions changed to 0750 (-rwxr-x---)
You mean 0754?
> - Add cap_syslog capability to binary.
Can som
On 2020-08-17 at 07:42, Marco d'Itri wrote:
> And what would be the point of setting kernel.dmesg_restrict=0 al long
> as dmesg is still not world-executable?
As far as I'm aware, it is:
$ dlocate `which dmesg`
util-linux: /bin/dmesg
$ apt-cache policy util-linux
util-linux:
Installed: 2.36-
On Aug 17, Matthew Ruffell wrote:
> I propose that we restrict access to dmesg to users in group 'adm' like so:
>
> 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
Which is already the default for Debian.
> 2) Following changes to /bin/dmesg permissions in package 'util-linux'
> - Owners
On Mon, Aug 17, 2020 at 03:50:37PM +1200, Matthew Ruffell wrote:
> Hello!
>
> I am currently working on a downstream effort to get
> CONFIG_SECURITY_DMESG_RESTRICT enabled in Ubuntu, and I would like to see if
> the Debian community is interested in carrying some of my proposed patches to
> Ubunt
Hello!
I am currently working on a downstream effort to get
CONFIG_SECURITY_DMESG_RESTRICT enabled in Ubuntu, and I would like to see if
the Debian community is interested in carrying some of my proposed patches to
Ubuntu.
Debian already has CONFIG_SECURITY_DMESG_RESTRICT enabled by default sinc
9 matches
Mail list logo