Enabling the kernel's DMESG_RESTRICT feature
Clint Byrum
clint at ubuntu.com
Thu May 26 19:05:51 UTC 2011
Excerpts from Kees Cook's message of Wed May 25 10:01:12 -0700 2011:
> On Wed, May 25, 2011 at 08:07:14AM -0400, Scott Kitterman wrote:
> > On Tuesday, May 24, 2011 06:00:17 PM Clint Byrum wrote:
> > > Excerpts from Kees Cook's message of Tue May 24 11:46:48 -0700 2011:
> > > > One unresolved problem is that the local default user (who is part of
> > > > "admin") is also part of the "adm" group, which means these log files are
> > > > visible without additional privileges:
> > > >
> > > > -rw-r----- 1 root adm 25937 2011-05-24 10:59 /var/log/dmesg
> > > > -rw-r----- 1 syslog adm 0 2011-05-24 11:17 /var/log/kern.log
> > > >
> > > > (And some system have a historically world-readable /var/log/dmesg that
> > > > should be fixed...) Does anyone see any problems in removing the default
> > > > user from the "adm" group? It seems to almost exclusively only be used
> > > > for log file reading permissions...
> > > >
> > > > Thoughts, flames, etc?
> > >
> > > +1
> > >
> > > I've always been a bit surprised at how much I can see in /var/log when
> > > logged into a brand new box as the initial admin user. I think users are
> > > accustomed to sudo when debugging issues, and I'm comfortable with saying
> > > that reading /var/log/* is just one more thing you need to use sudo for.
>
> Clint, what do you think of the proposal below? It's a less dramatic
> change, which might be more well received ultimately.
+1 for a less surprising and still quite effective way of achieving the goal.
More information about the ubuntu-devel
mailing list