Proposal: Enabling DMESG_RESTRICT for Groovy Onward

Steve Langasek steve.langasek at
Sat Aug 29 18:51:30 UTC 2020

On Sat, Aug 29, 2020 at 03:18:55PM +0200, Chris Hofstaedtler wrote:
> Hi Matthew,

> * Matthew Ruffell <matthew.ruffell at> [200812 00:37]:
> > > Do you happen to know if there was a similar proposal discussed in
> > > Debian?

> > I don't believe this has been discussed in Debian. The only bugs I found was
> > #570358 and #867747 which are for /var/log/dmesg only. Additionally, I found
> >, which mentions that "The dmesg command 
> > requires superuser privileges."

> I'm sure you have seen Ansgar's reply here:

>   > That grants additional rights to the `adm` group that it did not have
>   > before, for example to clear the dmesg buffer:
>   >
>   > $ dmesg --clear
>   >
>   > works after adding `cap_syslog` to the dmesg binary whereas it did not
>   > work before.

> This makes me want to -NOT- apply these changes in Debian's
> util-linux.

> Debian already has the dmesg_restrict change since stretch, so our
> users already need to use other mechanisms to look at the kernel log
> messages.
> Probably using journalctl or tailing the /var/log/syslog file.

> Re-enabling dmesg for the %adm group does not seem to add value for
> Debian now, and granting the --clear (and other) permissions seems
> to be too much.

I agree, and on that basis I also do not believe we should include this
change to util-linux in Ubuntu.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                         
slangasek at                                     vorlon at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the ubuntu-devel mailing list