From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: Re: We should disable dmesg for unprivileged users by default Date: Wed, 17 Jul 2019 06:58:11 +0800 Message-ID: <864l3lvb7g.fsf@gmail.com> References: <86h87qpv0u.fsf@gmail.com> <87y3101xtk.fsf@gnu.org> <87ims3ihtx.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:52589) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hnWOx-00064Q-S8 for guix-devel@gnu.org; Tue, 16 Jul 2019 18:58:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hnWOw-00015r-1w for guix-devel@gnu.org; Tue, 16 Jul 2019 18:58:27 -0400 In-reply-to: <87ims3ihtx.fsf@elephly.net> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, Ricardo Wurmus writes: > Ludovic Court=C3=A8s writes: > >> Hi, >> >> Alex Vong skribis: >> >>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to >>> prevent unprivileged users from reading the kernel ring buffer (since it >>> could expose sensitive information about the system). >> >> We could have a =E2=80=98dmesg-restrict=E2=80=99 service that would writ= e to that file >> as part of system activation, and we=E2=80=99d add it to =E2=80=98%base-= packages=E2=80=99. >> WDYT? > > This sounds good! I just find out there are at least 2 other ways to set kernel parameters. One is to append the line "kernel.dmesg_restrict=3D1" to the fi= le "/etc/sysctl.conf". The other way is to run the command "sudo sysctl -w kernel.dmesg_restrict=3D1". It appears to me that writing to "/etc/sysctl.conf" is better (since it is declarative). WDYT? What is our current way of setting kernel parameters? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXS5WgwAKCRBh71Au9gJS 8k/nAPwP9CBsx+8PM/mMXykRgPmjyhrfCWNPJgQ/r79FoYuTkgD/Ury/EL4toj5y Qz4ISp3oh529Fbhf4QqdNxx9FzoNzA8= =sLEh -----END PGP SIGNATURE----- --=-=-=--