[Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Launchpad Bug Tracker
1912122 at bugs.launchpad.net
Wed Jan 20 22:33:11 UTC 2021
This bug was fixed in the package rsyslog - 8.2010.0-1ubuntu2
---------------
rsyslog (8.2010.0-1ubuntu2) hirsute; urgency=medium
* debian/dmesg.service: Change /var/log/dmesg from 0644 to 0640
to adhere to new DMESG_RESTRICT restrictions. (LP: #1912122)
-- Matthew Ruffell <matthew.ruffell at canonical.com> Mon, 18 Jan 2021
13:34:48 +1300
** Changed in: rsyslog (Ubuntu Hirsute)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1912122
Title:
/var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT
restrictions
Status in rsyslog package in Ubuntu:
Fix Released
Status in rsyslog source package in Groovy:
Won't Fix
Status in rsyslog source package in Hirsute:
Fix Released
Bug description:
[Impact]
In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the
Ubuntu kernel starting with Groovy and onward, in an effort to
restrict access to the kernel log buffer from unprivileged users.
It seems we have overlooked /var/log/dmesg, as it is still mode 0644,
while /var/log/kern.log, /var/log/syslog are all 0640:
$ ll /var/log
-rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg
-rw-r----- 1 syslog adm 24538 Jan 18 13:05 kern.log
-rw-r----- 1 syslog adm 213911 Jan 18 13:22 syslog
Change /var/log/dmesg to 0640 to close the information leak.
[Testcase]
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
[ 0.000000] kernel: Linux version 5.8.0-36-generic (buildd at lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18)
[ 0.000000] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---
If you install the package in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test
$ sudo systemctl daemon-reload
$ sudo systemctl start dmesg.service
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
cat: /var/log/dmesg: Permission denied
[Where problems could occur]
Some users or log scraper programs might need to view the kernel log
buffers, and in this case, their underlying service accounts should be
added to the 'adm' group.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions
More information about the Ubuntu-sponsors
mailing list