Date: Mon, 27 Feb 2012 01:28:11 +0400 From: Solar Designer <solar@...nwall.com> To: owl-dev@...ts.openwall.com Subject: kernel.dmesg_restrict sysctl change submitted to OpenVZ FWIW, I've just submitted the "make kernel.dmesg_restrict sysctl tri-state and container-aware" change from our latest kernel patch on Owl-current to OpenVZ (the relevant upstream): http://bugzilla.openvz.org/show_bug.cgi?id=2197 "Hi, The kernel.dmesg_restrict sysctl was added to mainline kernels and backported to RHEL5 and RHEL6 by Red Hat. One of its primary purposes was to protect in-kernel addresses from being shown to non-root users and thus hopefully to make exploitation of certain kinds of kernel bugs more difficult or/and less reliable. With OpenVZ containers, however, the in-container dmesg is usually empty, and only sometimes it contains useful info: that container's iptables -j LOG output. The attached patch makes kernel.dmesg_restrict tri-state: 0: no restriction; 1: non-root users can't access dmesg, root users on both hardware node and in containers can access dmesg (seeing different log records as appropriate); 2: non-root users and any user and root in containers can't access dmesg, only root on the hardware node can access dmesg. 2 corresponds to behavior currently seen with 1, whereas the behavior with 1 becomes more relaxed. 1 is then a reasonable default setting for a distro (that's what we use on Owl now). Please consider applying this change to your currently maintained kernel branches. Thanks, Alexander"
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ