Ubuntu
rsyslog package

rsyslogd dmesg unit leaves /var/log/dmesg* world readable

Bug #1884887 reported by Steve Beattie
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

[Impact]

The rsyslog dmesg systemd unit /lib/systemd/system/dmesg.service in eoan, focal, and groovy create /var/log/dmesg* with the following permissions:

  -rw-r--r-- 1 root adm 45146 Jun 16 12:32 /var/log/dmesg

Most other system logs in /var/log/ are only readable by root and group adm.

While it's true that the kernel dmesg buffer by default can be read by anyone using the dmesg(1) command, this can be disabled by setting the sysctl kernel.dmesg_restrict to 1, but doing so as a hardening measure is thwarted by the world readable nature of /var/log/dmesg.

The reason dmesg output is sensitive is that it sometimes contains kernel addresses for diagnosing kernel problems, but attackers looking to attack a kernel are also interested in kernel addresses and other information that shows up there.

[Test Case]

To reproduce:

 $ ls -l /var/log/dmesg*

should show only root and group adm access like so:

 -rw-r----- 1 root adm 50178 Jun 23 12:55 /var/log/dmesg
 -rw-r----- 1 root adm 50217 Jun 23 12:55 /var/log/dmesg.0
 -rw-r----- 1 root adm 13941 Jun 23 12:47 /var/log/dmesg.1.gz

and not world readable:

 -rw-r--r-- 1 root adm 45146 Jun 16 12:32 /var/log/dmesg

[Regression Potential]

It's possible tools like apport and others might expect /var/log/dmesg to be world-readable.

Tags: patch
Revision history for this message
Steve Beattie (sbeattie) wrote :

Debdiff for groovy attached:

  - adds a second ExecStartPost entru to chmod /var/log/dmesg
  - adjusts the savelog(8) call in ExecStartPre to set the permission mode to 640 explicitly when rotating dmesg logs

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "rsyslog_8.2001.0-1ubuntu2.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Steve Beattie (sbeattie) wrote :

Fixed debdiff to add the bug reference for groovy.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Focal version.

Mathew Hodson (mhodson)
Changed in rsyslog (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Steve Beattie (sbeattie) wrote :

Updated groovy debdiff against the merge from debian currently in groovy-proposed.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rsyslog (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.