* We should disable dmesg for unprivileged users by default
@ 2019-07-13 1:45 Alex Vong
2019-07-13 5:20 ` Pierre Neidhardt
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Alex Vong @ 2019-07-13 1:45 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 280 bytes --]
Hello Guix,
I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
prevent unprivileged users from reading the kernel ring buffer (since it
could expose sensitive information about the system).
Debian does this. I don't know about other distros.
Cheers,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: We should disable dmesg for unprivileged users by default
2019-07-13 1:45 We should disable dmesg for unprivileged users by default Alex Vong
@ 2019-07-13 5:20 ` Pierre Neidhardt
2019-07-14 14:43 ` Ludovic Courtès
2019-07-17 7:04 ` Tobias Geerinckx-Rice
2 siblings, 0 replies; 8+ messages in thread
From: Pierre Neidhardt @ 2019-07-13 5:20 UTC (permalink / raw)
To: Alex Vong, guix-devel
[-- Attachment #1: Type: text/plain, Size: 103 bytes --]
And we could make it an operating system option then?
--
Pierre Neidhardt
https://ambrevar.xyz/
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: We should disable dmesg for unprivileged users by default
2019-07-13 1:45 We should disable dmesg for unprivileged users by default Alex Vong
2019-07-13 5:20 ` Pierre Neidhardt
@ 2019-07-14 14:43 ` Ludovic Courtès
2019-07-15 12:48 ` Ricardo Wurmus
2019-07-17 7:04 ` Tobias Geerinckx-Rice
2 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2019-07-14 14:43 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel
Hi,
Alex Vong <alexvong1995@gmail.com> skribis:
> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
> prevent unprivileged users from reading the kernel ring buffer (since it
> could expose sensitive information about the system).
We could have a ‘dmesg-restrict’ service that would write to that file
as part of system activation, and we’d add it to ‘%base-packages’.
WDYT?
That way, people could easily remove it from ‘%base-packages’ if they
don’t want it. (I might do that on my laptop for instance. :-))
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: We should disable dmesg for unprivileged users by default
2019-07-14 14:43 ` Ludovic Courtès
@ 2019-07-15 12:48 ` Ricardo Wurmus
2019-07-16 22:58 ` Alex Vong
0 siblings, 1 reply; 8+ messages in thread
From: Ricardo Wurmus @ 2019-07-15 12:48 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Ludovic Courtès <ludo@gnu.org> writes:
> Hi,
>
> Alex Vong <alexvong1995@gmail.com> skribis:
>
>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
>> prevent unprivileged users from reading the kernel ring buffer (since it
>> could expose sensitive information about the system).
>
> We could have a ‘dmesg-restrict’ service that would write to that file
> as part of system activation, and we’d add it to ‘%base-packages’.
> WDYT?
This sounds good!
--
Ricardo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: We should disable dmesg for unprivileged users by default
2019-07-15 12:48 ` Ricardo Wurmus
@ 2019-07-16 22:58 ` Alex Vong
0 siblings, 0 replies; 8+ messages in thread
From: Alex Vong @ 2019-07-16 22:58 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 948 bytes --]
Hello,
Ricardo Wurmus writes:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hi,
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
>>> prevent unprivileged users from reading the kernel ring buffer (since it
>>> could expose sensitive information about the system).
>>
>> We could have a ‘dmesg-restrict’ service that would write to that file
>> as part of system activation, and we’d add it to ‘%base-packages’.
>> WDYT?
>
> This sounds good!
I just find out there are at least 2 other ways to set kernel
parameters. One is to append the line "kernel.dmesg_restrict=1" to the file
"/etc/sysctl.conf". The other way is to run the command
"sudo sysctl -w kernel.dmesg_restrict=1". It appears to me that writing
to "/etc/sysctl.conf" is better (since it is declarative). WDYT? What is
our current way of setting kernel parameters?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: We should disable dmesg for unprivileged users by default
2019-07-13 1:45 We should disable dmesg for unprivileged users by default Alex Vong
2019-07-13 5:20 ` Pierre Neidhardt
2019-07-14 14:43 ` Ludovic Courtès
@ 2019-07-17 7:04 ` Tobias Geerinckx-Rice
2019-07-17 7:26 ` [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users Tobias Geerinckx-Rice
2 siblings, 1 reply; 8+ messages in thread
From: Tobias Geerinckx-Rice @ 2019-07-17 7:04 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 696 bytes --]
Alex,
Alex Vong 写道:
> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by
> default to
> prevent unprivileged users from reading the kernel ring buffer
> (since it
> could expose sensitive information about the system).
>
> Debian does this. I don't know about other distros.
I do this on all my Guix Systems by default; sounds good to me!
Let's do it by setting CONFIG_SECURITY_DMESG_RESTRICT=y in the
kernel configuration: it changes the default
/proc/sys/kernel/dmesg_restrict from 0 to 1, but still allows
changing it later (I tried).
No overhead, no service whose only job is to flip an unwanted bit,
no cmdline cruft.
Kind regards,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users.
2019-07-17 7:04 ` Tobias Geerinckx-Rice
@ 2019-07-17 7:26 ` Tobias Geerinckx-Rice
2019-07-26 22:41 ` [bug#36701] " Ludovic Courtès
0 siblings, 1 reply; 8+ messages in thread
From: Tobias Geerinckx-Rice @ 2019-07-17 7:26 UTC (permalink / raw)
To: guix-devel, guix-patches
* gnu/packages/linux.scm (%default-extra-linux-options):
Set CONFIG_SECURITY_DMESG_RESTRICT.
---
Re: https://lists.gnu.org/archive/html/guix-devel/2019-07/msg00258.html
Patchy patch.
gnu/packages/linux.scm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 30192f195d..73c7083e7c 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -273,7 +273,9 @@ for ARCH and optionally VARIANT, or #f if there is no such configuration."
(search-auxiliary-file file)))
(define %default-extra-linux-options
- `(;; Modules required for initrd:
+ `(;; Some very mild hardening.
+ ("CONFIG_SECURITY_DMESG_RESTRICT" . #t)
+ ;; Modules required for initrd:
("CONFIG_NET_9P" . m)
("CONFIG_NET_9P_VIRTIO" . m)
("CONFIG_VIRTIO_BLK" . m)
--
2.22.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [bug#36701] [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users.
2019-07-17 7:26 ` [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users Tobias Geerinckx-Rice
@ 2019-07-26 22:41 ` Ludovic Courtès
0 siblings, 0 replies; 8+ messages in thread
From: Ludovic Courtès @ 2019-07-26 22:41 UTC (permalink / raw)
To: Tobias Geerinckx-Rice; +Cc: guix-devel, 36701
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
> * gnu/packages/linux.scm (%default-extra-linux-options):
> Set CONFIG_SECURITY_DMESG_RESTRICT.
Go for it!
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-07-26 22:42 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-07-13 1:45 We should disable dmesg for unprivileged users by default Alex Vong
2019-07-13 5:20 ` Pierre Neidhardt
2019-07-14 14:43 ` Ludovic Courtès
2019-07-15 12:48 ` Ricardo Wurmus
2019-07-16 22:58 ` Alex Vong
2019-07-17 7:04 ` Tobias Geerinckx-Rice
2019-07-17 7:26 ` [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users Tobias Geerinckx-Rice
2019-07-26 22:41 ` [bug#36701] " Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).