Enabling the kernel's DMESG_RESTRICT feature

Scott Kitterman ubuntu at kitterman.com
Wed May 25 12:07:14 UTC 2011 

On Tuesday, May 24, 2011 06:00:17 PM Clint Byrum wrote:
> Excerpts from Kees Cook's message of Tue May 24 11:46:48 -0700 2011:
> > One unresolved problem is that the local default user (who is part of
> > "admin") is also part of the "adm" group, which means these log files are
> > visible without additional privileges:
> > 
> > -rw-r----- 1 root   adm 25937 2011-05-24 10:59 /var/log/dmesg
> > -rw-r----- 1 syslog adm     0 2011-05-24 11:17 /var/log/kern.log
> > 
> > (And some system have a historically world-readable /var/log/dmesg that
> > should be fixed...) Does anyone see any problems in removing the default
> > user from the "adm" group? It seems to almost exclusively only be used
> > for log file reading permissions...
> > 
> > Thoughts, flames, etc?
> 
> +1
> 
> I've always been a bit surprised at how much I can see in /var/log when
> logged into a brand new box as the initial admin user. I think users are
> accustomed to sudo when debugging issues, and I'm comfortable with saying
> that reading /var/log/* is just one more thing you need to use sudo for.

This doesn't match how I think of it, but I may be unusual (in this regard - 
otherwise I think that's already well established).  I have tended to view 
sudo/root as "ooh, be careful not to break the system" and "understand the 
system" as something I should do as a normal user (with limited exceptions).

Currently on the 11.04 system I'm typing this on, I have:

-rw-r----- 1 root   adm    53466 2011-05-24 13:19 dmesg

/var/log has a mix of files owned by group root and group adm.  Instead of 
removing normal user access to all the files in /var/log, couldn't we just 
change the group of dmesg* to root?

I don't know about other GUI tools, but Kubuntu's userconfig gives a checkbox 
to "Access system logs" that adds the user to adm.  If we're fundamentally 
changing how system logs are accessed we'll need to change that.  Other GUI 
user configuration tools should also be checked for this (and appropriate work 
items added to the spec.

Scott K

More information about the ubuntu-devel mailing list