Announcement

**Guest** · 20 April 2019, 01:29 PM

Originally posted by bash2bash View Post

You have it all wrong, you replied to something I didn't even mention.

I agree that security by obscurity is bad business and that is why I did NOT mention it above. There are other, perfectly valid reasons that dmesg SHOULD be hidden by default, like privacy.

"Remember, that all the good rootkits benefit by learning about the system they invade, the dmesg is one of the sources they use before infection." - that's a security justification you've provided there, and it explicitly states that the system will somehow be insecure if you don't hide some small piece of information. That's pretty much the definition of security by obscurity.

You used the word privacy, but didn't provide any examples to highlight why user access to dmesg would be bad for privacy.

**bash2bash** · 20 April 2019, 01:53 PM

My quote is not about security by obscurity but its obvious you are wrong and you won't admit it, so this argument is /dev/null

In essence, if dmesg should have a justification for being readable by everyone not the over way around.

Originally posted by sandy8925 View Post

"Remember, that all the good rootkits benefit by learning about the system they invade, the dmesg is one of the sources they use before infection." - that's a security justification you've provided there, and it explicitly states that the system will somehow be insecure if you don't hide some small piece of information. That's pretty much the definition of security by obscurity.

You used the word privacy, but didn't provide any examples to highlight why user access to dmesg would be bad for privacy.

**Luke_Wolf** · 20 April 2019, 03:29 PM

Security theater at it's best.

To exploit this requires a compromised user account and having a kernel exploit to actually do anything. If they're that far you're already screwed.

Meanwhile the information is very useful to have for users to diagnose what's going wrong with their machine.

**szymon_g** · 20 April 2019, 03:38 PM

btw, is there any way to restrict ability of a 'normal' user to see the processes owned by root/others? I know Grsecurity used to offer it few years ago, I wonder if I can have something similar now without that patch

**Grogan** · 20 April 2019, 04:12 PM

Seeing dmesg output is useful, for example plugging in a USB device, I like to check to see if it's properly configured. I like to check for errors if something doesn't go right.

I'm not using "sudo".

A dumbed down system makes for dumb users. How can a user even report a problem if they can't see i/o errors and stuff. I'm old school and I've been using Linux for many years. I have helped a lot of people, solve a lot of problems just by looking at dmesg output.

The bullshit I have to circumvent in most distros these days just to have a usable system royally pisses me off. Keep it up, and it will be just like Windows where if you want to get anything done you have to run with elevated privileges.

**DarkFoss** · 20 April 2019, 05:01 PM

I'm running Kde-Neon, no need to use sudo just dmesg in a terminal works. I normally use dmesg | grep -i -w -e drm -e amdgpu to see if an error in the current kernel is fixed when running mainline.

**Mangix** · 20 April 2019, 05:15 PM

Happy to report I added this in OpenWrt. Not that it matters.

kernel: Restrict dmesg output to root. · openwrt/openwrt@45219c1

https://github.com/openwrt/openwrt/commit/45219c1c0ff9e896fc626ad3415cf2fe8a3c635d

In typical OpenWrt setups, there are no other users that have a shell spawned for them by default. This can be overriden by the kernel.dmesg_output syssctl. Signed-off-by: Rosen Penev <rosenp@...

**aht0** · 20 April 2019, 06:04 PM

Originally posted by szymon_g View Post

btw, is there any way to restrict ability of a 'normal' user to see the processes owned by root/others? I know Grsecurity used to offer it few years ago, I wonder if I can have something similar now without that patch

I think I've seen the latter in Linux too somewhere. Probably in Alpine Linux.

**F.Ultra** · 20 April 2019, 07:07 PM

Originally posted by TruthPropeller View Post

**ssokolow** · 20 April 2019, 07:46 PM

To be honest, locking down dmesg feels like the Linux equivalent of those The Old New Thing posts about clients trying to report supposed Windows security vulnerabilities that get WONTFIX'd because "they're already on the other side of the airtight hatch" and the fix would require drastic changes.

(The kind of thing where the reproduction instructions often begin with putting a malicious DLL somewhere that requires permissions that already allowed much less convoluted exploits... such as just attacking the EXE being compromised in the first place.)

...in no small part because dmesg is important for efficiently diagnosing things like "Device was plugged into a bad/too-slow USB hub/cable".

Why not just fix it properly by having a sysctl to hide memory addresses from dmesg instead?

Announcement

In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment