kees at ubuntu.com
Tue Nov 16 17:50:16 GMT 2010
So, now that it is possible to restrict access to dmesg, I would like
to make this restriction the default in Ubuntu. The information in dmesg
can potentially leak kernel memory targets for local attackers. While
there are certainly plenty of targets, this restriction will close a
door on at least some of them.
This will obviously mean changing documentation and a number of
applications that use "dmesg" output. Luckily, they should all
fall into the "debugging" category instead of the "regular use"
category. (Specifically I'm thinking of Apport at the very least.)
I figure we could add a useful error message to "dmesg" to provide
education about the change, which would suggest using "sudo" or pointing
people to the new /proc/sys/kernel/dmesg_restrict sysctl.
Ubuntu Security Team
More information about the ubuntu-devel