all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* We should disable dmesg for unprivileged users by default
@ 2019-07-13  1:45 Alex Vong
  2019-07-13  5:20 ` Pierre Neidhardt
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: Alex Vong @ 2019-07-13  1:45 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 280 bytes --]

Hello Guix,

I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
prevent unprivileged users from reading the kernel ring buffer (since it
could expose sensitive information about the system).

Debian does this. I don't know about other distros.

Cheers,
Alex

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: We should disable dmesg for unprivileged users by default
  2019-07-13  1:45 We should disable dmesg for unprivileged users by default Alex Vong
@ 2019-07-13  5:20 ` Pierre Neidhardt
  2019-07-14 14:43 ` Ludovic Courtès
  2019-07-17  7:04 ` Tobias Geerinckx-Rice
  2 siblings, 0 replies; 9+ messages in thread
From: Pierre Neidhardt @ 2019-07-13  5:20 UTC (permalink / raw)
  To: Alex Vong, guix-devel

[-- Attachment #1: Type: text/plain, Size: 103 bytes --]

And we could make it an operating system option then?

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: We should disable dmesg for unprivileged users by default
  2019-07-13  1:45 We should disable dmesg for unprivileged users by default Alex Vong
  2019-07-13  5:20 ` Pierre Neidhardt
@ 2019-07-14 14:43 ` Ludovic Courtès
  2019-07-15 12:48   ` Ricardo Wurmus
  2019-07-17  7:04 ` Tobias Geerinckx-Rice
  2 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2019-07-14 14:43 UTC (permalink / raw)
  To: Alex Vong; +Cc: guix-devel

Hi,

Alex Vong <alexvong1995@gmail.com> skribis:

> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
> prevent unprivileged users from reading the kernel ring buffer (since it
> could expose sensitive information about the system).

We could have a ‘dmesg-restrict’ service that would write to that file
as part of system activation, and we’d add it to ‘%base-packages’.
WDYT?

That way, people could easily remove it from ‘%base-packages’ if they
don’t want it.  (I might do that on my laptop for instance.  :-))

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: We should disable dmesg for unprivileged users by default
  2019-07-14 14:43 ` Ludovic Courtès
@ 2019-07-15 12:48   ` Ricardo Wurmus
  2019-07-16 22:58     ` Alex Vong
  0 siblings, 1 reply; 9+ messages in thread
From: Ricardo Wurmus @ 2019-07-15 12:48 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel


Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Alex Vong <alexvong1995@gmail.com> skribis:
>
>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
>> prevent unprivileged users from reading the kernel ring buffer (since it
>> could expose sensitive information about the system).
>
> We could have a ‘dmesg-restrict’ service that would write to that file
> as part of system activation, and we’d add it to ‘%base-packages’.
> WDYT?

This sounds good!

-- 
Ricardo

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: We should disable dmesg for unprivileged users by default
  2019-07-15 12:48   ` Ricardo Wurmus
@ 2019-07-16 22:58     ` Alex Vong
  0 siblings, 0 replies; 9+ messages in thread
From: Alex Vong @ 2019-07-16 22:58 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 948 bytes --]

Hello,

Ricardo Wurmus writes:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hi,
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
>>> prevent unprivileged users from reading the kernel ring buffer (since it
>>> could expose sensitive information about the system).
>>
>> We could have a ‘dmesg-restrict’ service that would write to that file
>> as part of system activation, and we’d add it to ‘%base-packages’.
>> WDYT?
>
> This sounds good!

I just find out there are at least 2 other ways to set kernel
parameters. One is to append the line "kernel.dmesg_restrict=1" to the file
"/etc/sysctl.conf". The other way is to run the command
"sudo sysctl -w kernel.dmesg_restrict=1". It appears to me that writing
to "/etc/sysctl.conf" is better (since it is declarative). WDYT? What is
our current way of setting kernel parameters?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: We should disable dmesg for unprivileged users by default
  2019-07-13  1:45 We should disable dmesg for unprivileged users by default Alex Vong
  2019-07-13  5:20 ` Pierre Neidhardt
  2019-07-14 14:43 ` Ludovic Courtès
@ 2019-07-17  7:04 ` Tobias Geerinckx-Rice
  2019-07-17  7:26   ` [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users Tobias Geerinckx-Rice
  2 siblings, 1 reply; 9+ messages in thread
From: Tobias Geerinckx-Rice @ 2019-07-17  7:04 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 696 bytes --]

Alex,

Alex Vong 写道:
> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by 
> default to
> prevent unprivileged users from reading the kernel ring buffer 
> (since it
> could expose sensitive information about the system).
>
> Debian does this. I don't know about other distros.

I do this on all my Guix Systems by default; sounds good to me!

Let's do it by setting CONFIG_SECURITY_DMESG_RESTRICT=y in the 
kernel configuration: it changes the default 
/proc/sys/kernel/dmesg_restrict from 0 to 1, but still allows 
changing it later (I tried).

No overhead, no service whose only job is to flip an unwanted bit, 
no cmdline cruft.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users.
  2019-07-17  7:04 ` Tobias Geerinckx-Rice
@ 2019-07-17  7:26   ` Tobias Geerinckx-Rice
  2019-07-26 22:41     ` [bug#36701] " Ludovic Courtès
  0 siblings, 1 reply; 9+ messages in thread
From: Tobias Geerinckx-Rice @ 2019-07-17  7:26 UTC (permalink / raw)
  To: guix-devel, guix-patches

* gnu/packages/linux.scm (%default-extra-linux-options):
Set CONFIG_SECURITY_DMESG_RESTRICT.
---

Re: https://lists.gnu.org/archive/html/guix-devel/2019-07/msg00258.html

Patchy patch.

 gnu/packages/linux.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 30192f195d..73c7083e7c 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -273,7 +273,9 @@ for ARCH and optionally VARIANT, or #f if there is no such configuration."
     (search-auxiliary-file file)))
 
 (define %default-extra-linux-options
-  `(;; Modules required for initrd:
+  `(;; Some very mild hardening.
+    ("CONFIG_SECURITY_DMESG_RESTRICT" . #t)
+    ;; Modules required for initrd:
     ("CONFIG_NET_9P" . m)
     ("CONFIG_NET_9P_VIRTIO" . m)
     ("CONFIG_VIRTIO_BLK" . m)
-- 
2.22.0

^ permalink raw reply related	[flat|nested] 9+ messages in thread

* Re: [bug#36701] [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users.
  2019-07-17  7:26   ` [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users Tobias Geerinckx-Rice
@ 2019-07-26 22:41     ` Ludovic Courtès
  2019-07-26 23:19       ` bug#36701: " Tobias Geerinckx-Rice via Guix-patches
  0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2019-07-26 22:41 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: guix-devel, 36701

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> * gnu/packages/linux.scm (%default-extra-linux-options):
> Set CONFIG_SECURITY_DMESG_RESTRICT.

Go for it!

Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#36701: [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users.
  2019-07-26 22:41     ` [bug#36701] " Ludovic Courtès
@ 2019-07-26 23:19       ` Tobias Geerinckx-Rice via Guix-patches
  0 siblings, 0 replies; 9+ messages in thread
From: Tobias Geerinckx-Rice via Guix-patches @ 2019-07-26 23:19 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 36701-done

[-- Attachment #1: Type: text/plain, Size: 283 bytes --]

Ludo',

Ludovic Courtès 写道:
> Tobias Geerinckx-Rice <me@tobias.gr> skribis:
>
>> * gnu/packages/linux.scm (%default-extra-linux-options):
>> Set CONFIG_SECURITY_DMESG_RESTRICT.
>
> Go for it!

Pushed as 24446ce299943efe3dfded6c9dd0cf9421d8da04.

Thanks!

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2019-07-26 23:20 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-07-13  1:45 We should disable dmesg for unprivileged users by default Alex Vong
2019-07-13  5:20 ` Pierre Neidhardt
2019-07-14 14:43 ` Ludovic Courtès
2019-07-15 12:48   ` Ricardo Wurmus
2019-07-16 22:58     ` Alex Vong
2019-07-17  7:04 ` Tobias Geerinckx-Rice
2019-07-17  7:26   ` [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users Tobias Geerinckx-Rice
2019-07-26 22:41     ` [bug#36701] " Ludovic Courtès
2019-07-26 23:19       ` bug#36701: " Tobias Geerinckx-Rice via Guix-patches

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.