Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Mar 2015 13:44:53 +0100
From: Jann Horn <jann@...jh.net>
To: oss-security@...ts.openwall.com
Subject: Re: Disabling reading of kernel log buffer reading
 for user

On Fri, Mar 13, 2015 at 09:56:58AM +0000, halfdog wrote:
> * What would be the side effects of making /dev/kmesg only root accessible? Maybe syslog not able to write kmessages to log?
> * Would it be safe to disable the syslog syscall for action SYSLOG_ACTION_READ_* and all users except root and syslog? Does someone have tested selinux config for that?

/proc/sys/kernel/dmesg_restrict can be used to restrict access to the log buffer.
It looks like at least rsyslogd uses /proc/kmsg to read messages from the log
buffer, and that file is only accessible for root anyway.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ