Do not require CAP_SYS_ADMIN for reading from /proc/kmsg

Bug #515623 reported by Martin Pitt on 2010-02-01
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Kees Cook
linux-fsl-imx51 (Ubuntu)
Andy Whitcroft

Bug Description

Right now, the kernel requires root privileges (in particular, CAP_SYS_ADMIN) not only to open /proc/kmsg, but also to read from it:

$ sudo python
[sudo] password for martin:
>>> import os
>>> f=open('/proc/kmsg')
>>> os.seteuid(1000)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
IOError: [Errno 1] Operation not permitted

Due to this, we need to jump through ridiculous hoops to make rsyslog run as non-root user: /etc/init/rsyslog-kmsg.conf starts a dd process (as root) with bs=1 which shovels /proc/kmsg to a FIFO, which rsyslog then can read from. Due to reading single bytes (in order to not lag behind) it burns a lot of CPU power, especially on boot (see

Martin Pitt (pitti) on 2010-02-01
Changed in linux (Ubuntu):
assignee: nobody → Kees Cook (kees)
Kees Cook (kees) wrote :

This patch implements the ability to not need CAP_SYS_ADMIN for each read on a /proc/kmsg file descriptor. (Submitted to upstream LKML.)

Changed in linux (Ubuntu):
status: New → In Progress
tags: added: patch
Kees Cook (kees) on 2010-02-05
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-12.17

linux (2.6.32-12.17) lucid; urgency=low

  [ Andy Whitcroft ]

  * restore linux-image prefix -- master
  * enforce -- we require SELINUX enabled -- master
  * enforce -- ensure APPARMOR is our default LSM -- master
  * make doc package completely optional -- master
  * make source package completely optional -- master
  * make linux-libc-dev completly optional -- master
  * convert package disable to a deps list -- master
  * allow common headers to switch from indep to arch -- master
  * convert binary package disable to a deps list -- master
  * add configuration option for a full source build tree -- master
  * add support for uImage kernels in package control scripts
  * getabis -- cleanup and parameterise repository list -- master
  * getabis -- move configuration to etc/getabi -- master
  * kernelconfig -- move configuration to etc -- master
  * rules -- make debian/debian.env master for branch name
  * set the current branch name -- master
  * pull back common debian.master files into debian -- master
  * enforcer -- make the enforcement configuration common
  * insert-changes -- correctly link to debian/rules in DROOT

  [ Colin Watson ]

  * future-proof ddeb handling against buildd changes

  [ Eric Miao ]


  [ Loïc Minier ]

  * Add modules.builtin.bin to prerm rm list
    - LP: #516584

  [ Tim Gardner ]

  * [Config] Implement the amd64 preempt flavour

  [ Upstream Kernel Changes ]

  * syslog: distinguish between /proc/kmsg and syscalls
    - LP: #515623
  * sfc: Fix polling for slow MCDI operations
  * sfc: Fix conditions for MDIO self-test
  * sfc: QT202x: Remove unreliable MMD check at initialisation
  * sfc: Add workspace for GMAC bug workaround to MCDI MAC_STATS buffer
  * sfc: Use fixed-size buffers for MCDI NVRAM requests
 -- Andy Whitcroft <email address hidden> Fri, 05 Feb 2010 07:09:31 +0000

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Andy Whitcroft (apw) on 2010-02-12
Changed in linux (Ubuntu):
importance: Undecided → Medium
Andy Whitcroft (apw) on 2010-02-22
Changed in linux-fsl-imx51 (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Andy Whitcroft (apw) wrote :

Need this backported for the v2.6.31 arm branches also.

Changed in linux-fsl-imx51 (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-fsl-imx51 - 2.6.31-605.7

linux-fsl-imx51 (2.6.31-605.7) lucid; urgency=low

  [ Bryan Wu ]

  * Add 3 missing files to prerm remove file list
    - LP: #345623, #415832

  [ Loïc Minier ]

  * Add modules.builtin.bin to prerm rm list
    - LP: #516584

  [ Upstream Kernel Changes ]

  * Ubuntu: SAUCE: IMX51: Revert a BSP kernel ENGR00115370 patch which was
    changed in latest BSP
  * ENGR00119582 V4L2 capture:Fix race condition for accessing kernel
  * ENGR00119635 MX23 fix wrong state transition of enable lcd controller
  * ENGR00119578 v4l2 output: fix fb setting for display 5
  * ENGR00116787 change pmic event handling method
  * ENGR00119693 Uniform handling NFC INT bit clearance
  * ENGR00119720 IPUv3:Fix wrong UV offset set in CPMEM when idmac crops
  * ENGR00119847 [MX23_BSP] Support polled read/write for debug UART
  * ENGR00119583 MX35: Add regulators' standby control
  * ENGR00119710 MXC V4L2 output:Support YUYV and UYVY input pixel format
  * ENGR00119034 V4L2 overlay:Use DP to do CSC for preview on DPFG
  * ENGR00119899 Add FEC iomux config and PHY reset.
  * ENGR00119975 IPUv3:Inform user when IDMAC UV-offset overflows
  * ENGR00120126 mx51: add mem resources in platform device for gpu2d and
  * ENGR00120054 MX51: Increase VPU IRAM size to support decoder
  * ENGR00116049-1 [imx23] Addition of FIQ system for chip errata/bo's
  * ENGR00116049-2 [imx23] Addition of FIQ system for chip errata/bo's
  * ENGR00119976 v4l2 output: use mannual buffer select for display channel
  * ENGR00120370 v4l2 output: fix display fail for blank fb during video
  * Ubuntu: SAUCE: IMX51: export symbol of ipu_clear_buffer_ready function
  * syslog: distinguish between /proc/kmsg and syscalls
    - LP: #515623
 -- Andy Whitcroft <email address hidden> Mon, 22 Feb 2010 15:52:35 +0000

Changed in linux-fsl-imx51 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints