Enabling the kernel's DMESG_RESTRICT feature
Matt Zimmerman
mdz at ubuntu.com
Thu Jun 2 12:14:06 UTC 2011
On Fri, May 27, 2011 at 10:17:59AM -0700, Kees Cook wrote:
> On Fri, May 27, 2011 at 04:29:33PM +0100, Matt Zimmerman wrote:
> > On Thu, May 26, 2011 at 04:55:59PM -0700, Kees Cook wrote:
> > > I won't say it doesn't complicate things, but I would like to point out
> > > that everyone else's suggestion for this is to completely remove the values
> > > from the dmesg report itself, rendering it unavailable to any user, even
> > > root.
> >
> > It seems we are forced into this dichotomy because there is only one log,
> > which is mixing different types of information. Has anyone proposed
> > separating kernel debugging information from simple status logging, and
> > allowing the remainder to remain accessible to users?
>
> I don't think this would end up being sensible either, as the task of
> performing debugging may need access to both. I still don't see the problem
> of debugging as root. If you're not the system owner, you're not going to
> be able to _change_ the system in an effort to fix the problem you are
> debugging.
Maybe I'm weird, but I use dmesg for a lot of "normal" tasks, not just
debugging problems which will require root to fix. The most common is
probably the traditional "what device node was assigned to that device I
just plugged in?" query. I also have a habit, surely derived from running
lots of bleeding edge code, of running dmesg from time to time just to check
if anything weird is going on.
--
- mdz
More information about the ubuntu-devel
mailing list