* We should disable dmesg for unprivileged users by default
@ 2019-07-13 1:45 Alex Vong
2019-07-13 5:20 ` Pierre Neidhardt
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Alex Vong @ 2019-07-13 1:45 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 280 bytes --]
Hello Guix,
I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
prevent unprivileged users from reading the kernel ring buffer (since it
could expose sensitive information about the system).
Debian does this. I don't know about other distros.
Cheers,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: We should disable dmesg for unprivileged users by default
2019-07-13 1:45 We should disable dmesg for unprivileged users by default Alex Vong
@ 2019-07-13 5:20 ` Pierre Neidhardt
2019-07-14 14:43 ` Ludovic Courtès
2019-07-17 7:04 ` Tobias Geerinckx-Rice
2 siblings, 0 replies; 9+ messages in thread
From: Pierre Neidhardt @ 2019-07-13 5:20 UTC (permalink / raw)
To: Alex Vong, guix-devel
[-- Attachment #1: Type: text/plain, Size: 103 bytes --]
And we could make it an operating system option then?
--
Pierre Neidhardt
https://ambrevar.xyz/
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: We should disable dmesg for unprivileged users by default
2019-07-13 1:45 We should disable dmesg for unprivileged users by default Alex Vong
2019-07-13 5:20 ` Pierre Neidhardt
@ 2019-07-14 14:43 ` Ludovic Courtès
2019-07-15 12:48 ` Ricardo Wurmus
2019-07-17 7:04 ` Tobias Geerinckx-Rice
2 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2019-07-14 14:43 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel
Hi,
Alex Vong <alexvong1995@gmail.com> skribis:
> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
> prevent unprivileged users from reading the kernel ring buffer (since it
> could expose sensitive information about the system).
We could have a ‘dmesg-restrict’ service that would write to that file
as part of system activation, and we’d add it to ‘%base-packages’.
WDYT?
That way, people could easily remove it from ‘%base-packages’ if they
don’t want it. (I might do that on my laptop for instance. :-))
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: We should disable dmesg for unprivileged users by default
2019-07-14 14:43 ` Ludovic Courtès
@ 2019-07-15 12:48 ` Ricardo Wurmus
2019-07-16 22:58 ` Alex Vong
0 siblings, 1 reply; 9+ messages in thread
From: Ricardo Wurmus @ 2019-07-15 12:48 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Ludovic Courtès <ludo@gnu.org> writes:
> Hi,
>
> Alex Vong <alexvong1995@gmail.com> skribis:
>
>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
>> prevent unprivileged users from reading the kernel ring buffer (since it
>> could expose sensitive information about the system).
>
> We could have a ‘dmesg-restrict’ service that would write to that file
> as part of system activation, and we’d add it to ‘%base-packages’.
> WDYT?
This sounds good!
--
Ricardo
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: We should disable dmesg for unprivileged users by default
2019-07-13 1:45 We should disable dmesg for unprivileged users by default Alex Vong
2019-07-13 5:20 ` Pierre Neidhardt
2019-07-14 14:43 ` Ludovic Courtès
@ 2019-07-17 7:04 ` Tobias Geerinckx-Rice
2019-07-17 7:26 ` [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users Tobias Geerinckx-Rice
2 siblings, 1 reply; 9+ messages in thread
From: Tobias Geerinckx-Rice @ 2019-07-17 7:04 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 696 bytes --]
Alex,
Alex Vong 写道:
> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by
> default to
> prevent unprivileged users from reading the kernel ring buffer
> (since it
> could expose sensitive information about the system).
>
> Debian does this. I don't know about other distros.
I do this on all my Guix Systems by default; sounds good to me!
Let's do it by setting CONFIG_SECURITY_DMESG_RESTRICT=y in the
kernel configuration: it changes the default
/proc/sys/kernel/dmesg_restrict from 0 to 1, but still allows
changing it later (I tried).
No overhead, no service whose only job is to flip an unwanted bit,
no cmdline cruft.
Kind regards,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-07-26 23:20 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-07-13 1:45 We should disable dmesg for unprivileged users by default Alex Vong
2019-07-13 5:20 ` Pierre Neidhardt
2019-07-14 14:43 ` Ludovic Courtès
2019-07-15 12:48 ` Ricardo Wurmus
2019-07-16 22:58 ` Alex Vong
2019-07-17 7:04 ` Tobias Geerinckx-Rice
2019-07-17 7:26 ` [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users Tobias Geerinckx-Rice
2019-07-26 22:41 ` [bug#36701] " Ludovic Courtès
2019-07-26 23:19 ` bug#36701: " Tobias Geerinckx-Rice via Guix-patches
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.