From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Vong <alexvong1995@gmail.com>
Subject: Re: We should disable dmesg for unprivileged users by default
Date: Wed, 17 Jul 2019 06:58:11 +0800
Message-ID: <864l3lvb7g.fsf@gmail.com>
References: <86h87qpv0u.fsf@gmail.com> <87y3101xtk.fsf@gnu.org>
 <87ims3ihtx.fsf@elephly.net>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:52589)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <alexvong1995@gmail.com>) id 1hnWOx-00064Q-S8
 for guix-devel@gnu.org; Tue, 16 Jul 2019 18:58:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1hnWOw-00015r-1w
 for guix-devel@gnu.org; Tue, 16 Jul 2019 18:58:27 -0400
In-reply-to: <87ims3ihtx.fsf@elephly.net>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ricardo Wurmus <rekado@elephly.net>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello,

Ricardo Wurmus writes:

> Ludovic Court=C3=A8s <ludo@gnu.org> writes:
>
>> Hi,
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
>>> prevent unprivileged users from reading the kernel ring buffer (since it
>>> could expose sensitive information about the system).
>>
>> We could have a =E2=80=98dmesg-restrict=E2=80=99 service that would writ=
e to that file
>> as part of system activation, and we=E2=80=99d add it to =E2=80=98%base-=
packages=E2=80=99.
>> WDYT?
>
> This sounds good!

I just find out there are at least 2 other ways to set kernel
parameters. One is to append the line "kernel.dmesg_restrict=3D1" to the fi=
le
"/etc/sysctl.conf". The other way is to run the command
"sudo sysctl -w kernel.dmesg_restrict=3D1". It appears to me that writing
to "/etc/sysctl.conf" is better (since it is declarative). WDYT? What is
our current way of setting kernel parameters?

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXS5WgwAKCRBh71Au9gJS
8k/nAPwP9CBsx+8PM/mMXykRgPmjyhrfCWNPJgQ/r79FoYuTkgD/Ury/EL4toj5y
Qz4ISp3oh529Fbhf4QqdNxx9FzoNzA8=
=sLEh
-----END PGP SIGNATURE-----
--=-=-=--