/var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rsyslog (Ubuntu) |
Fix Released
|
Medium
|
Matthew Ruffell | ||
Groovy |
Won't Fix
|
Medium
|
Matthew Ruffell | ||
Hirsute |
Fix Released
|
Medium
|
Matthew Ruffell |
Bug Description
[Impact]
In bug 1886112, CONFIG_
It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640:
$ ll /var/log
-rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg
-rw-r----- 1 syslog adm 24538 Jan 18 13:05 kern.log
-rw-r----- 1 syslog adm 213911 Jan 18 13:22 syslog
Change /var/log/dmesg to 0640 to close the information leak.
[Testcase]
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
[ 0.000000] kernel: Linux version 5.8.0-36-generic (buildd@
[ 0.000000] kernel: Command line: BOOT_IMAGE=
If you install the package in the following ppa:
https:/
$ sudo systemctl daemon-reload
$ sudo systemctl start dmesg.service
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
cat: /var/log/dmesg: Permission denied
[Where problems could occur]
Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group.
Changed in rsyslog (Ubuntu Hirsute): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Matthew Ruffell (mruffell) |
description: | updated |
Changed in rsyslog (Ubuntu Groovy): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Matthew Ruffell (mruffell) |
tags: | added: sts |
tags: | added: sts-sponsor |
Attached is a debdiff for hirsute to set /var/log/dmesg to 0640.