In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • phoronix
    Administrator
    • Jan 2007
    • 67398

    In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

    Phoronix: In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

    Going back to the late Linux 2.6 kernel days has been the CONFIG_DMESG_RESTRICT (or for the past number of years, renamed to CONFIG_SECURITY_DMESG_RESTRICT) Kconfig option to restrict access to dmesg in the name of security and not allowing unprivileged users from accessing this system log. While it's been brought up from time to time, Linux distributions are still generally allowing any user access to dmesg even though it may contain information that could help bad actors exploit the system...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
  • George99
    Senior Member
    • Mar 2017
    • 226

    #2
    Hmm, I already need sudo/root to execute dmesg command. (debian) Which distros are we talking about?

    Comment

    • dungeon
      Banned
      • Feb 2008
      • 7915

      #3
      Debian kernels have enabled this since 4.8 kernel. back in year 2016.

      Comment

      • Grogan
        Senior Member
        • Jan 2013
        • 213

        #4
        Umm, good. I don't EVER want that. It should not be the default configuration of the kernel.

        Restrict it on your system if you want that.

        Comment

        • Weasel
          Senior Member
          • Feb 2017
          • 4520

          #5
          I don't use VirtualBox, why should I be punished? Granted it's not a huge issue but still.

          Comment

          • TruthPropeller
            Junior Member
            • Mar 2019
            • 16

            #6
            Related:

            Comment

            • boxie
              Senior Member
              • Aug 2013
              • 1932

              #7
              Originally posted by Grogan View Post
              Umm, good. I don't EVER want that. It should not be the default configuration of the kernel.

              Restrict it on your system if you want that.
              default config should be secure. if the powers that be deem that I need to type [strong]sudo dmesg -w[/strong] then so be it.
              I do not claim to be smarter than someone who's job it is to make that call

              Comment

              • bash2bash
                Senior Member
                • Jan 2019
                • 170

                #8
                In my opinion, access to dmesg should be restricted to root, by default. I do that in all my systems via my ansible playbook.

                This is important for various reasons, including privacy.

                Remember, that all the good rootkits benefit by learning about the system they invade, the dmesg is one of the sources they use before infection.


                I'd be interested to know why a normal user would want to read the dmesg, is there a benefit to that?

                Comment

                • linner
                  Senior Member
                  • Nov 2011
                  • 202

                  #9
                  The funny thing is, /var/log/kern* is usually restricted to root. However, dmesg often contains the same content yet any user can view it. It's weird and stupid.

                  Comment

                  • tildearrow
                    Senior Member
                    • Nov 2016
                    • 7099

                    #10
                    Slackware does this. It's kinda annoying to see the "read buffer kernel failed" message.

                    If I am the system's administrator, I should be able to read dmesg by default.

                    Comment

                    Working...
                    X