Proposal: Enabling DMESG_RESTRICT for Groovy Onward

Chris Hofstaedtler zeha at
Sat Aug 29 13:18:55 UTC 2020

Hi Matthew,

* Matthew Ruffell <matthew.ruffell at> [200812 00:37]:
> > Do you happen to know if there was a similar proposal discussed in
> > Debian?
> I don't believe this has been discussed in Debian. The only bugs I found was
> #570358 and #867747 which are for /var/log/dmesg only. Additionally, I found
>, which mentions that "The dmesg command 
> requires superuser privileges."

I'm sure you have seen Ansgar's reply here:

  > That grants additional rights to the `adm` group that it did not have
  > before, for example to clear the dmesg buffer:
  > $ dmesg --clear
  > works after adding `cap_syslog` to the dmesg binary whereas it did not
  > work before.

This makes me want to -NOT- apply these changes in Debian's

Debian already has the dmesg_restrict change since stretch, so our
users already need to use other mechanisms to look at the kernel log
Probably using journalctl or tailing the /var/log/syslog file.

Re-enabling dmesg for the %adm group does not seem to add value for
Debian now, and granting the --clear (and other) permissions seems
to be too much.


More information about the ubuntu-devel mailing list