Enabling the kernel's DMESG_RESTRICT feature

Kees Cook kees at ubuntu.com
Wed May 25 17:01:12 UTC 2011 

On Wed, May 25, 2011 at 08:07:14AM -0400, Scott Kitterman wrote:
> On Tuesday, May 24, 2011 06:00:17 PM Clint Byrum wrote:
> > Excerpts from Kees Cook's message of Tue May 24 11:46:48 -0700 2011:
> > > One unresolved problem is that the local default user (who is part of
> > > "admin") is also part of the "adm" group, which means these log files are
> > > visible without additional privileges:
> > > 
> > > -rw-r----- 1 root   adm 25937 2011-05-24 10:59 /var/log/dmesg
> > > -rw-r----- 1 syslog adm     0 2011-05-24 11:17 /var/log/kern.log
> > > 
> > > (And some system have a historically world-readable /var/log/dmesg that
> > > should be fixed...) Does anyone see any problems in removing the default
> > > user from the "adm" group? It seems to almost exclusively only be used
> > > for log file reading permissions...
> > > 
> > > Thoughts, flames, etc?
> > 
> > +1
> > 
> > I've always been a bit surprised at how much I can see in /var/log when
> > logged into a brand new box as the initial admin user. I think users are
> > accustomed to sudo when debugging issues, and I'm comfortable with saying
> > that reading /var/log/* is just one more thing you need to use sudo for.

Clint, what do you think of the proposal below? It's a less dramatic
change, which might be more well received ultimately.

> This doesn't match how I think of it, but I may be unusual (in this regard - 
> otherwise I think that's already well established).  I have tended to view 
> sudo/root as "ooh, be careful not to break the system" and "understand the 
> system" as something I should do as a normal user (with limited exceptions).
> 
> Currently on the 11.04 system I'm typing this on, I have:
> 
> -rw-r----- 1 root   adm    53466 2011-05-24 13:19 dmesg
> 
> /var/log has a mix of files owned by group root and group adm.  Instead of 
> removing normal user access to all the files in /var/log, couldn't we just 
> change the group of dmesg* to root?
> 
> I don't know about other GUI tools, but Kubuntu's userconfig gives a checkbox 
> to "Access system logs" that adds the user to adm.  If we're fundamentally 
> changing how system logs are accessed we'll need to change that.  Other GUI 
> user configuration tools should also be checked for this (and appropriate work 
> items added to the spec.

Yeah, same for Gnome (adm group checkbox). Just changing the specific log
file permissions does seem to be the "least surprising" method to deal with
this. I will go that route, thanks.

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list