Enabling the kernel's DMESG_RESTRICT feature

Dustin Kirkland kirkland at ubuntu.com
Thu Jun 2 19:03:48 UTC 2011

On Thu, Jun 2, 2011 at 8:14 AM, Matt Zimmerman <mdz at ubuntu.com> wrote:
> On Fri, May 27, 2011 at 10:17:59AM -0700, Kees Cook wrote:
>> On Fri, May 27, 2011 at 04:29:33PM +0100, Matt Zimmerman wrote:
>> > On Thu, May 26, 2011 at 04:55:59PM -0700, Kees Cook wrote:
>> > > I won't say it doesn't complicate things, but I would like to point out
>> > > that everyone else's suggestion for this is to completely remove the values
>> > > from the dmesg report itself, rendering it unavailable to any user, even
>> > > root.
>> >
>> > It seems we are forced into this dichotomy because there is only one log,
>> > which is mixing different types of information.  Has anyone proposed
>> > separating kernel debugging information from simple status logging, and
>> > allowing the remainder to remain accessible to users?
>> I don't think this would end up being sensible either, as the task of
>> performing debugging may need access to both. I still don't see the problem
>> of debugging as root. If you're not the system owner, you're not going to
>> be able to _change_ the system in an effort to fix the problem you are
>> debugging.
> Maybe I'm weird, but I use dmesg for a lot of "normal" tasks, not just
> debugging problems which will require root to fix.  The most common is
> probably the traditional "what device node was assigned to that device I
> just plugged in?" query.  I also have a habit, surely derived from running
> lots of bleeding edge code, of running dmesg from time to time just to check
> if anything weird is going on.

Yeah, I use it to check if a hotplug usb disk showed up, and what scsi
device name it got assigned.

I also use it (indirectly) to monitor wifi messages a la the
wifi-status tool, which watches [iwconfig + ifconfig + dmesg]:
 * http://manpg.es/wifi-status

I suppose wifi-status might need to move to /usr/sbin, and require
sudo with your new changes, Kees?


Dustin Kirkland
Ubuntu Core Developer

More information about the ubuntu-devel mailing list