From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Vong <alexvong1995@gmail.com>
Subject: We should disable dmesg for unprivileged users by default
Date: Sat, 13 Jul 2019 09:45:21 +0800
Message-ID: <86h87qpv0u.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:56060)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <alexvong1995@gmail.com>) id 1hm76b-0000TR-UZ
 for guix-devel@gnu.org; Fri, 12 Jul 2019 21:45:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1hm76b-0004uA-1J
 for guix-devel@gnu.org; Fri, 12 Jul 2019 21:45:41 -0400
Received: from mail-pf1-x435.google.com ([2607:f8b0:4864:20::435]:45804)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
 id 1hm76a-0004qF-Qv
 for guix-devel@gnu.org; Fri, 12 Jul 2019 21:45:40 -0400
Received: by mail-pf1-x435.google.com with SMTP id r1so5043618pfq.12
 for <guix-devel@gnu.org>; Fri, 12 Jul 2019 18:45:40 -0700 (PDT)
Received: from debian (42-98-181-210.static.netvigator.com. [42.98.181.210])
 by smtp.gmail.com with ESMTPSA id k70sm15404775pje.14.2019.07.12.18.45.37
 for <guix-devel@gnu.org>
 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
 Fri, 12 Jul 2019 18:45:38 -0700 (PDT)
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain

Hello Guix,

I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
prevent unprivileged users from reading the kernel ring buffer (since it
could expose sensitive information about the system).

Debian does this. I don't know about other distros.

Cheers,
Alex

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXSk3sgAKCRBh71Au9gJS
8r7FAQCHLCz4oiaOtKlULEHY+xHb7CkXZAToSULEj6FXH/kPZgEAw6PltaXOMnWi
Dj7Yozey5gcJBj7WaJPiO3/YJf+tewQ=
=o9XD
-----END PGP SIGNATURE-----
--=-=-=--