Hello! I am following up on my proposal to enable CONFIG_SECURITY_DMESG_RESTRICT on Groovy onward with debdiffs necessary to implement the feature.
Quick recap: I propose that we restrict access to dmesg to users in group 'adm' like so: 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel. 2) Following changes to /bin/dmesg permissions in package 'util-linux' - Ownership changes to root:adm - Permissions changed to 0750 (-rwxr-x---) - Add cap_syslog capability to binary. 3) Add a commented out '# kernel.dmesg_restrict = 0' to /etc/sysctl.d/10-kernel-hardening.conf Why do we want this? Currently unprivileged users can access the kernel log buffer / dmesg with no restrictions, but cannot access journalctl or /var/log/kern.log or /var/log/syslog. Kernel oops messages can leak sensitive information such as kernel pointers in their register dumps, which helps attackers with their priv esc exploits. For more context, read: https://lists.ubuntu.com/archives/ubuntu-devel/2020-June/041063.html Current status: 1) Has been implemented with commit: https://kernel.ubuntu.com/git/ubuntu/unstable.git/commit/?id=25e6c851704a47c81e78e1a82530ac4b328098a6 Thanks Seth! 2) I have prepared a debdiff to util-linux which implements the changes, and is ready for review here: https://launchpadlibrarian.net/489863172/lp1886112_util-linux_groovy.debdiff 3) I have prepared a debdiff to procps, and is ready for review here: https://launchpadlibrarian.net/489863145/lp1886112_procps_groovy.debdiff Can I please get feedback on the long term maintainability of the patches, particularly the changes to util-linux? Would Debian be interested in these changes? If everyone is in agreement with the changes, can I please get the debdiffs sponsored? The Launchpad Bug for this proposal is LP1886112: https://bugs.launchpad.net/bugs/1886112 Test packages for procps and util-linux for Groovy can be found in this ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1886112-test Thanks, Matthew On 3/07/20 6:44 am, Seth Forshee wrote: > On Wed, Jun 17, 2020 at 12:40:36PM +1200, Matthew Ruffell wrote: >> Hello! >> >> I am proposing that we enable the CONFIG_SECURITY_DMESG_RESTRICT [1] feature >> by >> default for Groovy onward. > > Seems like the discussion on this has stalled. I checked with the > security team and they are +1 on this, so I went ahead and made the > change in our 5.7/5.8 kernel trees. It's likely to be a couple of weeks > before we land one of these in groovy-release, so hopefully that will > give enough time to at least update /usr/bin/dmesg. > > Thanks, > Seth -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel