Originally posted by rene
View Post
Ubuntu 20.10 Looking At Restricting Access To Kernel Logs With dmesg
Collapse
X
-
Originally posted by CommunityMember View Post
And, of course, for those individuals on single use systems that one has administrative control over one can create the sysctl override file to change the operational default back to unprivileged, which I would not be surprised to learn that many of those individuals may choose to do.
Comment
-
-
So what you are saying is.. Ubuntu and other Linux vendors are developing a way to run
chmod 550 /bin/dmesg
Well.. sounds like a serious issue that will take a lot of engineering. I hope they figure it out.. might take them a while.. We might need and entire framework and systemd-dmesg for this.Last edited by k1e0x; 17 June 2020, 01:51 PM.
Comment
-
-
Originally posted by k1e0x View PostSo what you are saying is.. Ubuntu and other Linux vendors are developing a way to run
chmod 550 /bin/dmesg
Well.. I hope they figure it out.. might take them a while..
Comment
-
-
Originally posted by ssokolow View Post
AFAIK, the underlying syscalls aren't privileged, so an attacker could just bring their own copy of dmesg or call them directly in whatever tool they're cobbling together. This would make calling them a privileged operation.
No.. This only matters in servers and user writable directories shouldn't be executable.
I don't really see this as something that needs to be fixed on a syscall level. That feels like a heavy hand to me. I'm sure there are probably situations where this becomes a problem. (such as in a container) but perhaps that can be better done on the container level? Again I'm viewing this from sysadmin perspective and not developer perspective.. executing your own code on a production box? no thanks. You can't put in protections for every binary someone could possibly put on there.
There is no "pro user / developers" There is only users and admins. Clearly a dev wrote that.. it is not a thing I assure you they are just users.Last edited by k1e0x; 17 June 2020, 06:05 PM.
Comment
-
-
Originally posted by k1e0x View Post
What? You let users install their own software???? What kind of admin are you? heh
No.. This only matters in servers and user writable directories shouldn't be executable.
I don't really see this as something that needs to be fixed on a syscall level. That feels like a heavy hand to me. I'm sure there are probably situations where this becomes a problem. (such as in a container) but perhaps that can be better done on the container level? Again I'm viewing this from sysadmin perspective and not developer perspective.. executing your own code on a production box? no thanks. You can't put in protections for every binary someone could possibly put on there.
There is no "pro user / developers" There is only users and admins. Clearly a dev wrote that.. it is not a thing I assure you they are just users.
Code:cat /dev/kmsg
While it doesn't read the kernel message log, here's an example of what I'm talking about which can't be disallowed at the language level without breaking things that would legitimately be run on the server:
python3 <<< "import ctypes; print(ctypes.CDLL('libc.so.6').access('/bin/bash', 4))"
Comment
-
Comment