Seems like the best approach would be to lock it down by default, and make it accessible in a diagnostic boot mode, something between console only rescue mode and secured multiuser mode. I might play around with a runlevel to see how feasible a package or script to deploy such a mode would be.
Announcement
Collapse
No announcement yet.
In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access
Collapse
X
-
Originally posted by szymon_g View Postbtw, is there any way to restrict ability of a 'normal' user to see the processes owned by root/others? I know Grsecurity used to offer it few years ago, I wonder if I can have something similar now without that patchCode:mount -o remount /proc -o hidepid=2
Comment
-
Originally posted by birdie View PostSo many alternatively gifted wanna-be security professionals/researchers here it's mind boggling.
First of all, dmesg can be run only by local users - it's inaccessible remotely.
Secondly, if the malicious actor has a shell on your PC you're already royally f*cked (think key logging, desktop screenshot'ing, traffic sniffing, etc.) and hiding `dmesg` is completely useless.
Thirdly, a LOT of dmesg data/information can be easily fetched from /proc, /sys and by running certain shell commands. Like over 95% of it.
Fourthly, I've been using Linux for over 20 years and I have never heard of a single security/privacy issue related to (the) dmesg (output) being available to non-root users. Not a single f*cking case.
What a dumb mess we have here. LOOOL.
Phoronix commentators never cease to amaze with their idiocy.
- Likes 1
Comment
-
-
"All this security madness will lead to one thing, the user will start running lots of things via sudo by default and the net result will be decreased security."
Code:mkdir -p /etc/sysctl.d tee -a /etc/sysctl.d/90-security.conf<<<'kernel.dmesg_restrict = 0' sysctl -p /etc/sysctl.d/90-security.conf
Comment
-
To address https://xkcd.com/1200/. From a kernel hardening perspective, anything
we can do to make it harder for regular users to attack kernel space, that's
good, because even if a service is running as "nobody" and it gets exploited,
the first thing the attacker is going to do is try to elevate privileges to
then attack the user account with email, Facebook, etc. access. One way to do
that is a kernel exploit, which they would have to bypass KALSR to do, and if
they have a leaked address from dmesg (because dmesg_restrict is not set) then
they can use a bug they would have been otherwise unable to use to do that.
Attackers needs a KALSR info leak in order to run the code execution portion of
their exploit, and while dmesg is not the only way they could get that info
leak, it is one possibility, and therefore the secure default is to disable
non-root users access to it.
- Likes 3
Comment
-
Originally posted by Weasel View PostFor a moment imagine that those people should absolutely not be the default.
So wisely expect Linux future developments in ever-increasing amounts getting dictated by corporate interests. You, simple home user, don't matter, if you get something then because some corporates invest money into development of workstations too. You have you free ride, if you dislike the changes, feel free to switch to alternative OS'es.
On a softer tone. Similar limitations are optional on several BSD's too (more precisely, limiting dmesg to super user and not allowing unprivileged user see any other processes than his/her own). So, it's not just some pointless paranoia by some Linux dev. Poster above brought out very good point about one possible attack vector using dmesg on user level.Last edited by aht0; 22 April 2019, 10:56 PM.
- Likes 1
Comment
-
joining the security by obscurity bandwagon? hold my beer, done: https://youtu.be/HD6D9gNclYI?t=270
- Likes 1
Comment
Comment