Proposal: Enabling DMESG_RESTRICT for Groovy Onward
steve.langasek at ubuntu.com
Sat Aug 29 18:51:30 UTC 2020
On Sat, Aug 29, 2020 at 03:18:55PM +0200, Chris Hofstaedtler wrote:
> Hi Matthew,
> * Matthew Ruffell <matthew.ruffell at canonical.com> [200812 00:37]:
> > > Do you happen to know if there was a similar proposal discussed in
> > > Debian?
> > I don't believe this has been discussed in Debian. The only bugs I found was
> > #570358 and #867747 which are for /var/log/dmesg only. Additionally, I found
> > https://wiki.debian.org/NewInStretch, which mentions that "The dmesg command
> > requires superuser privileges."
> I'm sure you have seen Ansgar's reply here:
> > That grants additional rights to the `adm` group that it did not have
> > before, for example to clear the dmesg buffer:
> > $ dmesg --clear
> > works after adding `cap_syslog` to the dmesg binary whereas it did not
> > work before.
> This makes me want to -NOT- apply these changes in Debian's
> Debian already has the dmesg_restrict change since stretch, so our
> users already need to use other mechanisms to look at the kernel log
> Probably using journalctl or tailing the /var/log/syslog file.
> Re-enabling dmesg for the %adm group does not seem to add value for
> Debian now, and granting the --clear (and other) permissions seems
> to be too much.
I agree, and on that basis I also do not believe we should include this
change to util-linux in Ubuntu.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the ubuntu-devel