From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tobias Geerinckx-Rice <me@tobias.gr>
Subject: Re: We should disable dmesg for unprivileged users by default
Date: Wed, 17 Jul 2019 09:04:22 +0200
Message-ID: <87r26p9m6h.fsf@nckx>
References: <86h87qpv0u.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:49640)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <me@tobias.gr>) id 1hndzU-0000Oe-Oj
 for guix-devel@gnu.org; Wed, 17 Jul 2019 03:04:41 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <me@tobias.gr>) id 1hndzS-0002ux-Uz
 for guix-devel@gnu.org; Wed, 17 Jul 2019 03:04:40 -0400
Received: from tobias.gr ([2001:470:7405::1]:53978)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <me@tobias.gr>) id 1hndzR-0002hl-Ur
 for guix-devel@gnu.org; Wed, 17 Jul 2019 03:04:38 -0400
Received: by tobias.gr (OpenSMTPD) with ESMTP id af493476
 for <guix-devel@gnu.org>; Wed, 17 Jul 2019 07:04:26 +0000 (UTC)
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id e05813b1
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO)
 for <guix-devel@gnu.org>; Wed, 17 Jul 2019 07:04:24 +0000 (UTC)
In-reply-to: <86h87qpv0u.fsf@gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Alex,

Alex Vong =E5=86=99=E9=81=93=EF=BC=9A
> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by=20
> default to
> prevent unprivileged users from reading the kernel ring buffer=20
> (since it
> could expose sensitive information about the system).
>
> Debian does this. I don't know about other distros.

I do this on all my Guix Systems by default; sounds good to me!

Let's do it by setting CONFIG_SECURITY_DMESG_RESTRICT=3Dy in the=20
kernel configuration: it changes the default=20
/proc/sys/kernel/dmesg_restrict from 0 to 1, but still allows=20
changing it later (I tried).

No overhead, no service whose only job is to flip an unwanted bit,=20
no cmdline cruft.

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXS7IdgAKCRANsP+IT1Vt
efmaAPsFjV9nEbhGn5SaoAjk4P5B1Pf8vlawU4ZzitorGqWVFgEAxIao0kA/HikK
GMBPSmWhwpayXKUAY66wnLdxBirj5AA=
=7Q6S
-----END PGP SIGNATURE-----
--=-=-=--