From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: We should disable dmesg for unprivileged users by default Date: Sat, 13 Jul 2019 09:45:21 +0800 Message-ID: <86h87qpv0u.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:56060) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hm76b-0000TR-UZ for guix-devel@gnu.org; Fri, 12 Jul 2019 21:45:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hm76b-0004uA-1J for guix-devel@gnu.org; Fri, 12 Jul 2019 21:45:41 -0400 Received: from mail-pf1-x435.google.com ([2607:f8b0:4864:20::435]:45804) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hm76a-0004qF-Qv for guix-devel@gnu.org; Fri, 12 Jul 2019 21:45:40 -0400 Received: by mail-pf1-x435.google.com with SMTP id r1so5043618pfq.12 for ; Fri, 12 Jul 2019 18:45:40 -0700 (PDT) Received: from debian (42-98-181-210.static.netvigator.com. [42.98.181.210]) by smtp.gmail.com with ESMTPSA id k70sm15404775pje.14.2019.07.12.18.45.37 for (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 12 Jul 2019 18:45:38 -0700 (PDT) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --=-=-= Content-Type: text/plain Hello Guix, I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to prevent unprivileged users from reading the kernel ring buffer (since it could expose sensitive information about the system). Debian does this. I don't know about other distros. Cheers, Alex --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXSk3sgAKCRBh71Au9gJS 8r7FAQCHLCz4oiaOtKlULEHY+xHb7CkXZAToSULEj6FXH/kPZgEAw6PltaXOMnWi Dj7Yozey5gcJBj7WaJPiO3/YJf+tewQ= =o9XD -----END PGP SIGNATURE----- --=-=-=--