Hello! In Oneiric, I'd like to change the default availability of yet another long-standing system debugging feature: dmesg.
Since Linux 2.6.37, CONFIG_DMESG_RESTRICT (/proc/sys/kernel/dmesg_restrict) has existed[1], but the default in Ubuntu has been to leave "dmesg" available to unprivileged users (i.e. lacking the CAP_SYSLOG capability, changed in 2.6.38[2]). I brought this up[3] in November, but ultimately decided to wait until we had more important reasons to enable it by default. As we have continued to close kernel address leaks, the kernel syslog (dmesg) remains one of the last large places where information is being reported. As such, I want to close this off from regular users so that local kernel exploits continue to have an even harder time getting a foot-hold on vulnerabilities. And, as before, this is a tunable that you can change in /etc/sysctl.d/ if you do development work, like getting owned, etc. For the average user, this information is not needed. Kernel address leaks will become even more valuable to exploit authors once kernel base address randomization[4] lands in the kernel, and I want to make sure Ubuntu is prepared, well in advance of the next LTS, for this change. When the base address is randomized, "dmesg" must be privileged, or else the exactly offset is trivially visible (i.e. of the offset from "0xc1000000"): $ dmesg | grep -m1 text [ 0.000000] .text : 0xc1000000 - 0xc15112a1 (5188 kB) Now, making "dmesg" a privileged command will require extensive changes to documentation, debug-info-gather tools (e.g. users of "dmesg" like Apport), etc. The syslog daemon already has the needed privileges since it does more than just read the klog buffer (see [3] for a full list of klogctl() users). As with last year's ptrace changes[5], I plan to patch the userspace tools (i.e. "dmesg") themselves to produce a useful error message instead of what it current reports when /proc/sys/kernel/dmesg_restrict is set to "1": $ dmesg klogctl: Operation not permitted I think something like this will be used: $ dmesg klogctl: Operation not permitted The kernel syslog is only available to privileged users. For more details, see /etc/sysctl.d/10-dmesg.conf And then there will be extended information in that file, etc. One unresolved problem is that the local default user (who is part of "admin") is also part of the "adm" group, which means these log files are visible without additional privileges: -rw-r----- 1 root adm 25937 2011-05-24 10:59 /var/log/dmesg -rw-r----- 1 syslog adm 0 2011-05-24 11:17 /var/log/kern.log (And some system have a historically world-readable /var/log/dmesg that should be fixed...) Does anyone see any problems in removing the default user from the "adm" group? It seems to almost exclusively only be used for log file reading permissions... Thoughts, flames, etc? -Kees [1] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eaf06b241b091357e72b76863ba16e89610d31bd [2] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=38ef4c2e437d11b5922723504b62824e96761459 [3] https://lists.ubuntu.com/archives/kernel-team/2010-November/013499.html [4] https://lkml.org/lkml/2011/5/22/99 [5] https://lists.ubuntu.com/archives/ubuntu-devel/2010-May/030797.html -- Kees Cook Ubuntu Security Team -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
