Announcement

Collapse
No announcement yet.

In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

    Phoronix: In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

    Going back to the late Linux 2.6 kernel days has been the CONFIG_DMESG_RESTRICT (or for the past number of years, renamed to CONFIG_SECURITY_DMESG_RESTRICT) Kconfig option to restrict access to dmesg in the name of security and not allowing unprivileged users from accessing this system log. While it's been brought up from time to time, Linux distributions are still generally allowing any user access to dmesg even though it may contain information that could help bad actors exploit the system...

    http://www.phoronix.com/scan.php?pag...ed-2019-So-Far

  • #2
    Hmm, I already need sudo/root to execute dmesg command. (debian) Which distros are we talking about?

    Comment


    • #3
      Debian kernels have enabled this since 4.8 kernel. back in year 2016.

      Comment


      • #4
        Umm, good. I don't EVER want that. It should not be the default configuration of the kernel.

        Restrict it on your system if you want that.

        Comment


        • #5
          I don't use VirtualBox, why should I be punished? Granted it's not a huge issue but still.

          Comment


          • #6
            Related:

            Comment


            • #7
              Originally posted by Grogan View Post
              Umm, good. I don't EVER want that. It should not be the default configuration of the kernel.

              Restrict it on your system if you want that.
              default config should be secure. if the powers that be deem that I need to type [strong]sudo dmesg -w[/strong] then so be it.
              I do not claim to be smarter than someone who's job it is to make that call

              Comment


              • #8
                In my opinion, access to dmesg should be restricted to root, by default. I do that in all my systems via my ansible playbook.

                This is important for various reasons, including privacy.

                Remember, that all the good rootkits benefit by learning about the system they invade, the dmesg is one of the sources they use before infection.


                I'd be interested to know why a normal user would want to read the dmesg, is there a benefit to that?

                Comment


                • #9
                  The funny thing is, /var/log/kern* is usually restricted to root. However, dmesg often contains the same content yet any user can view it. It's weird and stupid.

                  Comment


                  • #10
                    Slackware does this. It's kinda annoying to see the "read buffer kernel failed" message.

                    If I am the system's administrator, I should be able to read dmesg by default.

                    Comment

                    Working...
                    X