Announcement

Collapse
No announcement yet.

In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Indeed on Debian testing:
    HTML Code:
    config-4.19.0-4-amd64:CONFIG_SECURITY_DMESG_RESTRICT=y

    Comment


    • #12
      Originally posted by Grogan View Post
      Umm, good. I don't EVER want that. It should not be the default configuration of the kernel.

      Restrict it on your system if you want that.
      What is wrong with restricting dmesg for regular user?! This is a sane choice. Your logic is a bit like a toilet flushing in reverse - a bit unpractical.

      http://www.dirtcellar.net

      Comment


      • #13
        It's just a single command:

        Code:
        sudo echo "kernel.dmesg_restrict=1" > /etc/sysctl.d/kernel_dmesg.conf
        I don't understand this whole debate. Isn't that a "hardening" issue, in the discretion of a desktop user? Isn't that a "hardening" issue, in the discretion of a sysadmin for a production system?

        Comment


        • #14
          There's a lot more useful information in 'ps -Afl' and only Android and ChromeOS hide that, that I'm aware of. Probably some hardened Linux distros as well.

          Comment


          • #15
            Originally posted by Konstantin A. View Post
            It's just a single command:

            Code:
            sudo echo "kernel.dmesg_restrict=1" > /etc/sysctl.d/kernel_dmesg.conf
            I don't understand this whole debate. Isn't that a "hardening" issue, in the discretion of a desktop user? Isn't that a "hardening" issue, in the discretion of a sysadmin for a production system?
            sudo doesn't work like that. You need to use tee for sudo piping:

            Code:
            echo "kernel.dmesg_restrict=1" | sudo tee /etc/sysctl.d/kernel_dmesg.conf

            Comment


            • #16
              I'm having a hard time understanding why this is such a big issue in the first place. Sure, maybe enable it by default for server distros, but this is one of those situations where I feel like people are taking security waaaay too seriously. If someone with malicious intent is able to run dmesg on your system in the first place, chances are, you've got bigger things to worry about than whatever info they're able to collect from it.

              Comment


              • #17
                Originally posted by debianxfce View Post
                An annoying feature. I disable it in my custom kernel.
                When are you going to fork the Linux kernel?

                Comment


                • #18
                  I don't care. Distros are free to do this in hardened variants, but in most cases this is a minor inconvenience at best. I would understand this setting if you were allowing access to your machine over the network, since there's pretty much no point in securing down a machine someone has physical access to.

                  Comment


                  • #19
                    Originally posted by bash2bash View Post
                    In my opinion, access to dmesg should be restricted to root, by default. I do that in all my systems via my ansible playbook.

                    This is important for various reasons, including privacy.

                    Remember, that all the good rootkits benefit by learning about the system they invade, the dmesg is one of the sources they use before infection.


                    I'd be interested to know why a normal user would want to read the dmesg, is there a benefit to that?
                    That's a bad justification - it's security by obscurity. If the kernel can be hacked through userspace processes, just because you know some small piece of information, then that implies bad security design/bugs.
                    Last edited by Guest; 20 April 2019, 12:22 PM. Reason: Replaced OS with kernel

                    Comment


                    • #20
                      You have it all wrong, you replied to something I didn't even mention.

                      I agree that security by obscurity is bad business and that is why I did NOT mention it above. There are other, perfectly valid reasons that dmesg SHOULD be hidden by default, like privacy.


                      Originally posted by sandy8925 View Post

                      That's a bad justification - it's security by obscurity. If the kernel can be hacked through userspace processes, just because you know some small piece of information, then that implies bad security design/bugs.

                      Comment

                      Working...
                      X