Announcement

Collapse
No announcement yet.

Ubuntu 20.10 Moving Ahead In Restricting Access To dmesg

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ubuntu 20.10 Moving Ahead In Restricting Access To dmesg

    Phoronix: Ubuntu 20.10 Moving Ahead In Restricting Access To dmesg

    Following the discussions last month over restricting access to dmesg / kernel logs on Ubuntu in matching the behavior of other Linux distributions for better security practices, Ubuntu 20.10 indeed is moving forward with these plans where dmesg access would require root privileges...

    http://www.phoronix.com/scan.php?pag...esg-Needs-Root

  • #2
    You know what this decision will actually lead to? People will start using sudo for pretty much everything without thinking. If anything, limitations like this make security worse, not better. There's very little [security] info that can be picked from dmesg and then lots of data is still available using /proc, /sys and various kernel APIs.

    Comment


    • #3
      Originally posted by birdie View Post
      You know what this decision will actually lead to? People will start using sudo for pretty much everything without thinking. If anything, limitations like this make security worse, not better. There's very little [security] info that can be picked from dmesg and then lots of data is still available using /proc, /sys and various kernel APIs.
      It's also about restricting access to sensitive information that shouldn't be available for non-admin users. This is crucial in the context of security and it always part of any hardening guide.

      Next to that, using sudo for everything is actually better thing, because all sudo uses are logged and can be part of an audit process, in comparison to su. At that point questions can arise like: why did that user access those logs and kernel information? And necessary action can be taken to investigate/modify access.

      Comment


      • #4
        This one Canonical Ubuntu 20.10 inner family is one of three "temporary" Ubuntu's before the next Ubuntu LTS, 22.04. There are also the 21.04 & 21.10 editions ahead. These Ubuntu's are downstream from the Debian editions. There are even many more Linux operating systems that are further downstream from the small number of the inner Canonical Ubuntu family.
        Of special interest is which of these very many Ubuntu downstreamers will also include these Ubuntu 20.10 innovations? These downstreamers try to be more innovative, more adventurous than the big name "Canonical conservatives" upon which they are based. Mint 20.04 is the biggest of these Ubuntu outsiders. It has added many innovations. Which if any of these will make it into which of the official future Canonicals?
        Last edited by gregzeng; 07-03-2020, 04:00 AM.

        Comment


        • #5
          Originally posted by EarthMind View Post

          It's also about restricting access to sensitive information that shouldn't be available for non-admin users. This is crucial in the context of security and it always part of any hardening guide.

          Next to that, using sudo for everything is actually better thing, because all sudo uses are logged and can be part of an audit process, in comparison to su. At that point questions can arise like: why did that user access those logs and kernel information? And necessary action can be taken to investigate/modify access.
          1. It's trivial to create an audit policy which will log dmesg invocations by the user.
          2. Enlighten me as to what "sensitive information" can be picked up from dmesg which is impossible to get by other means aside from maybe iptables/nftables logging which is not even enabled by default in Ubuntu.

          Again what is "crucial in the context of security and it always part of any hardening guide" - I keep hearing that again and again, and so far I haven't seen a single example of anything "crucial" in dmesg.

          Speaking of "hardening guides". Many of them are outright idiotic, for instance they insist on changing your passwords regularly. Why would you do that? It's never been proven to be effective against anything and at the same time people who are forced to change their passwords regularly start creating simple passwords and putting them in text files on their desktop. Good passwords which haven't been leaked/revealed/hacked are OK to use for eternity. Period.

          Comment


          • #6
            Originally posted by birdie View Post
            Speaking of "hardening guides". Many of them are outright idiotic, for instance they insist on changing your passwords regularly. Why would you do that? It's never been proven to be effective against anything and at the same time people who are forced to change their passwords regularly start creating simple passwords and putting them in text files on their desktop. Good passwords which haven't been leaked/revealed/hacked are OK to use for eternity. Period.
            Because good passwords get leaked/revealed/hacked all the time?
            Just kidding :'D

            Comment


            • #7
              Originally posted by birdie View Post
              You know what this decision will actually lead to? People will start using sudo for pretty much everything without thinking. If anything, limitations like this make security worse, not better. There's very little [security] info that can be picked from dmesg and then lots of data is still available using /proc, /sys and various kernel APIs.
              Every change breaks someone's workflow, in this case yours. Don't try to generalise your pet peeve into a global problem.

              Comment


              • #8
                Originally posted by royce View Post

                Every change breaks someone's workflow, in this case yours. Don't try to generalise your pet peeve into a global problem.
                Mine is not affected as I use Fedora which hasn't yet engaged in this security theatre idiocy.

                Comment


                • #9
                  Originally posted by birdie View Post
                  Again what is "crucial in the context of security and it always part of any hardening guide" - I keep hearing that again and again, and so far I haven't seen a single example of anything "crucial" in dmesg.
                  This is all public information readily accessible

                  https://lwn.net/Articles/414813/

                  "The kernel syslog contains debugging information that is often useful during exploitation of other vulnerabilities, such as kernel heap addresses"

                  This kconfig option was introduced and merged for a reason

                  Comment


                  • #10
                    Originally posted by birdie View Post

                    Mine is not affected as I use Fedora which hasn't yet engaged in this security theatre idiocy.
                    I think that Fedora and every other distribution will soon follow Ubuntu's lead and restrict access to dmesg.

                    Comment

                    Working...
                    X