Ubuntu
rsyslog package

/var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions

Bug #1912122 reported by Matthew Ruffell
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)
Fix Released
Medium
Matthew Ruffell
Groovy
Won't Fix
Medium
Matthew Ruffell
Hirsute
Fix Released
Medium
Matthew Ruffell

Bug Description

[Impact]

In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users.

It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640:

$ ll /var/log
-rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg
-rw-r----- 1 syslog adm 24538 Jan 18 13:05 kern.log
-rw-r----- 1 syslog adm 213911 Jan 18 13:22 syslog

Change /var/log/dmesg to 0640 to close the information leak.

[Testcase]

$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
[ 0.000000] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18)
[ 0.000000] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---

If you install the package in the following ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test

$ sudo systemctl daemon-reload
$ sudo systemctl start dmesg.service

$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
cat: /var/log/dmesg: Permission denied

[Where problems could occur]

Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group.

See original description
Matthew Ruffell (mruffell)
Changed in rsyslog (Ubuntu Hirsute):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Matthew Ruffell (mruffell)
description: updated
Changed in rsyslog (Ubuntu Groovy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Matthew Ruffell (mruffell)
Matthew Ruffell (mruffell)
tags: added: sts
Revision history for this message
Matthew Ruffell (mruffell) wrote :

Attached is a debdiff for hirsute to set /var/log/dmesg to 0640.

Revision history for this message
Matthew Ruffell (mruffell) wrote :

Attached is a debdiff for Groovy to change /var/log/dmesg to 0640.

Matthew Ruffell (mruffell)
tags: added: sts-sponsor
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Debdiff for rsyslog on hirsute" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Steve Beattie (sbeattie) wrote :

The Ubuntu Security team would like to see this fixed, though it probably would be worth adding the following change to the service file so that on log rotation the permissions are corrected as well:

-ExecStartPre=-/usr/bin/savelog -q -p -n -c 5 /var/log/dmesg
+ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg

Thanks!

Revision history for this message
Steve Beattie (sbeattie) wrote :

Oh, I was expecting that it would also be desirable to SRU this back to focal, as I expected CONFIG_SECURITY_DMESG_RESTRICT to come back with the HWE kernels, but looking at the config for linux-hwe-5.8, it appears that the old behavior was kept.

Revision history for this message
Matthew Ruffell (mruffell) wrote :

Attached is a patch which changes /var/log/dmesg to 0640 on hirsute. It also contains Steve's recommendation to set the logrotate files to 0640.

Revision history for this message
Matthew Ruffell (mruffell) wrote :

Attached is a patch which changes /var/log/dmesg to 0640 on groovy. It also contains Steve's recommendation to set the logrotate files to 0640.

Revision history for this message
Dan Streetman (ddstreet) wrote :

Thanks @mruffell!

uploaded to g/h, with trivial modification of changing the g version bump; for stable releases, ubuntuN should change to ubuntuN.1 instead of ubuntuN+1.

Revision history for this message
Robie Basak (racb) wrote :

Is this really worth an SRU to Groovy? One could consider the change to be fully implemented since Hirsute only, and Groovy will EOL before long anyway. Otherwise there's a risk that we'll break users' existing automation that is already live against Groovy.

Revision history for this message
Matthew Ruffell (mruffell) wrote :

Hi Robie, I agree this probably isn't worth a SRU to Groovy, I just made the packages available in the odd chance that they might be considered. I will mark Groovy as won't fix.

Hirsute is what really matters in the end.

Changed in rsyslog (Ubuntu Groovy):
status: In Progress → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rsyslog - 8.2010.0-1ubuntu2

---------------
rsyslog (8.2010.0-1ubuntu2) hirsute; urgency=medium

  * debian/dmesg.service: Change /var/log/dmesg from 0644 to 0640
    to adhere to new DMESG_RESTRICT restrictions. (LP: #1912122)

 -- Matthew Ruffell <email address hidden> Mon, 18 Jan 2021 13:34:48 +1300

Changed in rsyslog (Ubuntu Hirsute):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.