[ubuntu-hardened] dmesg restrict.
Kees Cook
kees at ubuntu.com
Wed Dec 19 02:29:39 UTC 2012
On Tue, Dec 18, 2012 at 10:22:56PM +0100, daniel curtis wrote:
> Mr Cook, I think that you're right, because sysctl command
> works very well: now, dmesg is restricted for normal user.
> Why it is not set by default? I mean this dmesg restrict.
> It seems, that it has a large impact on system security, right?
It's yet another layer of defense against information leaks. I'm not sure
I'd classify it as a "large impact", though. FWIW, I do it on all my
machines.
Enough things expect to have access to dmesg (especially for debugging)
that disabling it in the general case isn't trivial.
-Kees
--
Kees Cook
More information about the ubuntu-hardened
mailing list