Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Mar 2015 11:37:45 +0000
From: Marek Kroemeke <kroemeke@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Disabling reading of kernel log buffer reading
 for user

http://lwn.net/Articles/414813/

echo 1 > /proc/sys/kernel/dmesg_restrict


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello List,
> 
> After years working on Linux, I just found out, that any user not only root can read the kernel log buffer - I never even considered that this could be the case.
> 
> As this behavior is documented and expected, this is not a security vulnerability. But to avoid things like in [1], I would like to disable that on my machines.
> 
> Questions:
> 
> * What would be the side effects of making /dev/kmesg only root accessible? Maybe syslog not able to write kmessages to log?
> 
> * Would it be safe to disable the syslog syscall for action SYSLOG_ACTION_READ_* and all users except root and syslog? Does someone have tested selinux config for that?
> 
> hd
> 
> 
> [1] http://www.halfdog.net/Security/2015/HavingFunWithDmesg/
> 
> - -- 
> http://www.halfdog.net/
> PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iEYEARECAAYFAlUCtGQACgkQxFmThv7tq+4FFQCeN4Txgu40/tDsWGSVaK2sm7La
> VusAnRUCtETL9IGmaeSyQUt2dyCQgCpV
> =Krnc
> -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.