We should disable dmesg for unprivileged users by default

We should disable dmesg for unprivileged users by default

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 280 bytes --]

Hello Guix,

I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
prevent unprivileged users from reading the kernel ring buffer (since it
could expose sensitive information about the system).

Debian does this. I don't know about other distros.

Cheers,
Alex

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: We should disable dmesg for unprivileged users by default

[Pierre Neidhardt]

[-- Attachment #1: Type: text/plain, Size: 103 bytes --]

And we could make it an operating system option then?

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: We should disable dmesg for unprivileged users by default

[Ludovic Courtès]

Hi,

Alex Vong <alexvong1995@gmail.com> skribis:

> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
> prevent unprivileged users from reading the kernel ring buffer (since it
> could expose sensitive information about the system).

We could have a ‘dmesg-restrict’ service that would write to that file
as part of system activation, and we’d add it to ‘%base-packages’.
WDYT?

That way, people could easily remove it from ‘%base-packages’ if they
don’t want it.  (I might do that on my laptop for instance.  :-))

Thanks,
Ludo’.

Re: We should disable dmesg for unprivileged users by default

[Ricardo Wurmus]

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Alex Vong <alexvong1995@gmail.com> skribis:
>
>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
>> prevent unprivileged users from reading the kernel ring buffer (since it
>> could expose sensitive information about the system).
>
> We could have a ‘dmesg-restrict’ service that would write to that file
> as part of system activation, and we’d add it to ‘%base-packages’.
> WDYT?

This sounds good!

-- 
Ricardo

Re: We should disable dmesg for unprivileged users by default

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 948 bytes --]

Hello,

Ricardo Wurmus writes:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hi,
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
>>> prevent unprivileged users from reading the kernel ring buffer (since it
>>> could expose sensitive information about the system).
>>
>> We could have a ‘dmesg-restrict’ service that would write to that file
>> as part of system activation, and we’d add it to ‘%base-packages’.
>> WDYT?
>
> This sounds good!

I just find out there are at least 2 other ways to set kernel
parameters. One is to append the line "kernel.dmesg_restrict=1" to the file
"/etc/sysctl.conf". The other way is to run the command
"sudo sysctl -w kernel.dmesg_restrict=1". It appears to me that writing
to "/etc/sysctl.conf" is better (since it is declarative). WDYT? What is
our current way of setting kernel parameters?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: We should disable dmesg for unprivileged users by default

[Tobias Geerinckx-Rice]

[-- Attachment #1: Type: text/plain, Size: 696 bytes --]

Alex,

Alex Vong 写道：
> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by 
> default to
> prevent unprivileged users from reading the kernel ring buffer 
> (since it
> could expose sensitive information about the system).
>
> Debian does this. I don't know about other distros.

I do this on all my Guix Systems by default; sounds good to me!

Let's do it by setting CONFIG_SECURITY_DMESG_RESTRICT=y in the 
kernel configuration: it changes the default 
/proc/sys/kernel/dmesg_restrict from 0 to 1, but still allows 
changing it later (I tried).

No overhead, no service whose only job is to flip an unwanted bit, 
no cmdline cruft.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users.

[Tobias Geerinckx-Rice]

* gnu/packages/linux.scm (%default-extra-linux-options):
Set CONFIG_SECURITY_DMESG_RESTRICT.
---

Re: https://lists.gnu.org/archive/html/guix-devel/2019-07/msg00258.html

Patchy patch.

 gnu/packages/linux.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 30192f195d..73c7083e7c 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -273,7 +273,9 @@ for ARCH and optionally VARIANT, or #f if there is no such configuration."
     (search-auxiliary-file file)))
 
 (define %default-extra-linux-options
-  `(;; Modules required for initrd:
+  `(;; Some very mild hardening.
+    ("CONFIG_SECURITY_DMESG_RESTRICT" . #t)
+    ;; Modules required for initrd:
     ("CONFIG_NET_9P" . m)
     ("CONFIG_NET_9P_VIRTIO" . m)
     ("CONFIG_VIRTIO_BLK" . m)
-- 
2.22.0

Re: [bug#36701] [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users.

[Ludovic Courtès]

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> * gnu/packages/linux.scm (%default-extra-linux-options):
> Set CONFIG_SECURITY_DMESG_RESTRICT.

Go for it!

Ludo’.

bug#36701: [PATCH] gnu: linux-libre: Restrict ‘dmesg’ to privileged users.

[Tobias Geerinckx-Rice via Guix-patches]

[-- Attachment #1: Type: text/plain, Size: 283 bytes --]

Ludo',

Ludovic Courtès 写道：
> Tobias Geerinckx-Rice <me@tobias.gr> skribis:
>
>> * gnu/packages/linux.scm (%default-extra-linux-options):
>> Set CONFIG_SECURITY_DMESG_RESTRICT.
>
> Go for it!

Pushed as 24446ce299943efe3dfded6c9dd0cf9421d8da04.

Thanks!

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]