Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Mar 2015 11:37:45 +0000
From: Marek Kroemeke <kroemeke@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Disabling reading of kernel log buffer reading
 for user

http://lwn.net/Articles/414813/

echo 1 > /proc/sys/kernel/dmesg_restrict


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello List,
> 
> After years working on Linux, I just found out, that any user not only root can read the kernel log buffer - I never even considered that this could be the case.
> 
> As this behavior is documented and expected, this is not a security vulnerability. But to avoid things like in [1], I would like to disable that on my machines.
> 
> Questions:
> 
> * What would be the side effects of making /dev/kmesg only root accessible? Maybe syslog not able to write kmessages to log?
> 
> * Would it be safe to disable the syslog syscall for action SYSLOG_ACTION_READ_* and all users except root and syslog? Does someone have tested selinux config for that?
> 
> hd
> 
> 
> [1] http://www.halfdog.net/Security/2015/HavingFunWithDmesg/
> 
> - -- 
> http://www.halfdog.net/
> PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iEYEARECAAYFAlUCtGQACgkQxFmThv7tq+4FFQCeN4Txgu40/tDsWGSVaK2sm7La
> VusAnRUCtETL9IGmaeSyQUt2dyCQgCpV
> =Krnc
> -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ