Enabling the kernel's DMESG_RESTRICT feature
Clint Byrum
clint at ubuntu.com
Tue May 24 22:00:17 UTC 2011
Excerpts from Kees Cook's message of Tue May 24 11:46:48 -0700 2011:
> One unresolved problem is that the local default user (who is part of
> "admin") is also part of the "adm" group, which means these log files are
> visible without additional privileges:
>
> -rw-r----- 1 root adm 25937 2011-05-24 10:59 /var/log/dmesg
> -rw-r----- 1 syslog adm 0 2011-05-24 11:17 /var/log/kern.log
>
> (And some system have a historically world-readable /var/log/dmesg that
> should be fixed...) Does anyone see any problems in removing the default
> user from the "adm" group? It seems to almost exclusively only be used for
> log file reading permissions...
>
> Thoughts, flames, etc?
+1
I've always been a bit surprised at how much I can see in /var/log when
logged into a brand new box as the initial admin user. I think users are
accustomed to sudo when debugging issues, and I'm comfortable with saying
that reading /var/log/* is just one more thing you need to use sudo for.
More information about the ubuntu-devel
mailing list