Proposal: Enabling DMESG_RESTRICT for Groovy Onward
zeha at debian.org
Sat Aug 29 13:18:55 UTC 2020
* Matthew Ruffell <matthew.ruffell at canonical.com> [200812 00:37]:
> > Do you happen to know if there was a similar proposal discussed in
> > Debian?
> I don't believe this has been discussed in Debian. The only bugs I found was
> #570358 and #867747 which are for /var/log/dmesg only. Additionally, I found
> https://wiki.debian.org/NewInStretch, which mentions that "The dmesg command
> requires superuser privileges."
I'm sure you have seen Ansgar's reply here:
> That grants additional rights to the `adm` group that it did not have
> before, for example to clear the dmesg buffer:
> $ dmesg --clear
> works after adding `cap_syslog` to the dmesg binary whereas it did not
> work before.
This makes me want to -NOT- apply these changes in Debian's
Debian already has the dmesg_restrict change since stretch, so our
users already need to use other mechanisms to look at the kernel log
Probably using journalctl or tailing the /var/log/syslog file.
Re-enabling dmesg for the %adm group does not seem to add value for
Debian now, and granting the --clear (and other) permissions seems
to be too much.
More information about the ubuntu-devel