Enabling the kernel's DMESG_RESTRICT feature

Matt Zimmerman mdz at ubuntu.com
Thu Jun 2 12:14:06 UTC 2011

On Fri, May 27, 2011 at 10:17:59AM -0700, Kees Cook wrote:
> On Fri, May 27, 2011 at 04:29:33PM +0100, Matt Zimmerman wrote:
> > On Thu, May 26, 2011 at 04:55:59PM -0700, Kees Cook wrote:
> > > I won't say it doesn't complicate things, but I would like to point out
> > > that everyone else's suggestion for this is to completely remove the values
> > > from the dmesg report itself, rendering it unavailable to any user, even
> > > root.
> > 
> > It seems we are forced into this dichotomy because there is only one log,
> > which is mixing different types of information.  Has anyone proposed
> > separating kernel debugging information from simple status logging, and
> > allowing the remainder to remain accessible to users?
> I don't think this would end up being sensible either, as the task of
> performing debugging may need access to both. I still don't see the problem
> of debugging as root. If you're not the system owner, you're not going to
> be able to _change_ the system in an effort to fix the problem you are
> debugging.

Maybe I'm weird, but I use dmesg for a lot of "normal" tasks, not just
debugging problems which will require root to fix.  The most common is
probably the traditional "what device node was assigned to that device I
just plugged in?" query.  I also have a habit, surely derived from running
lots of bleeding edge code, of running dmesg from time to time just to check
if anything weird is going on.

 - mdz

More information about the ubuntu-devel mailing list