[ubuntu-hardened] dmesg restrict.

Kees Cook kees at ubuntu.com
Wed Dec 19 02:29:39 UTC 2012

On Tue, Dec 18, 2012 at 10:22:56PM +0100, daniel curtis wrote:
> Mr Cook, I think that you're right, because sysctl command
> works very well: now, dmesg is restricted for normal user.
> Why it is not set by default? I mean this dmesg restrict.
> It seems, that it has a large impact on system security, right?

It's yet another layer of defense against information leaks. I'm not sure
I'd classify it as a "large impact", though. FWIW, I do it on all my

Enough things expect to have access to dmesg (especially for debugging)
that disabling it in the general case isn't trivial.


Kees Cook

More information about the ubuntu-hardened mailing list