Enabling the kernel's DMESG_RESTRICT feature

Clint Byrum clint at ubuntu.com
Tue May 24 22:00:17 UTC 2011

Excerpts from Kees Cook's message of Tue May 24 11:46:48 -0700 2011:
> One unresolved problem is that the local default user (who is part of
> "admin") is also part of the "adm" group, which means these log files are
> visible without additional privileges:
> -rw-r----- 1 root   adm 25937 2011-05-24 10:59 /var/log/dmesg
> -rw-r----- 1 syslog adm     0 2011-05-24 11:17 /var/log/kern.log
> (And some system have a historically world-readable /var/log/dmesg that
> should be fixed...) Does anyone see any problems in removing the default
> user from the "adm" group? It seems to almost exclusively only be used for
> log file reading permissions...
> Thoughts, flames, etc?


I've always been a bit surprised at how much I can see in /var/log when
logged into a brand new box as the initial admin user. I think users are
accustomed to sudo when debugging issues, and I'm comfortable with saying
that reading /var/log/* is just one more thing you need to use sudo for.

More information about the ubuntu-devel mailing list