[..]
> Do you happen to know if there was a similar proposal discussed in
> Debian?
I don't believe this has been discussed in Debian. The only bugs I found was
#570358 and #867747 which are for /var/log/dmesg only. Additionally, I found
https://wiki.debian.org/NewInStretch, which mentions that "The dmesg command
requires superuser privileges."
I believe Debian might be interested in the change. For example, I started a
Buster VM:
$ head -1 /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
DMESG_RESTRICT is enabled, and my user is in group adm:
$ grep -Rin "CONFIG_SECURITY_DMESG_RESTRICT" /boot/config-4.19.0-10-cloud-amd64
3130:CONFIG_SECURITY_DMESG_RESTRICT=y
$ groups
mruffell adm dip video plugdev
Permissions for kern.log and syslog are for members of adm:
$ ls -l /var/log/kern.log
-rw-r----- 1 root adm 39414 Aug 11 21:44 /var/log/kern.log
$ ls -l /var/log/syslog
-rw-r----- 1 root adm 60744 Aug 11 21:56 /var/log/syslog
I can read /var/log/kern.log and journalctl:
$ head -2 /var/log/kern.log
Aug 11 21:44:44 debian kernel: [ 0.000000] Linux version 4.19.0-10-cloud-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
Aug 11 21:44:44 debian kernel: [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-10-cloud-amd64 root=UUID=fb69ad1f-43c0-40a4-8ec0-bb07f1175c82 ro console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop scsi_mod.use_blk_mq=Y
$ journalctl -t kernel | head -3
-- Logs begin at Tue 2020-08-11 21:44:43 UTC, end at Tue 2020-08-11 22:12:30 UTC. --
Aug 11 21:44:43 debian kernel: Linux version 4.19.0-10-cloud-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
Aug 11 21:44:43 debian kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-10-cloud-amd64 root=UUID=fb69ad1f-43c0-40a4-8ec0-bb07f1175c82 ro console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 elevator=noop scsi_mod.use_blk_mq=Y
And yet, I cannot access dmesg:
$ dmesg
dmesg: read kernel buffer failed: Operation not permitted
$ ls -l /bin/dmesg
-rwxr-xr-x 1 root root 84288 Jan 10 2019 /bin/dmesg
Should I start a discussion on debian-devel, suggesting that Debian adopt the
proposed changes to util-linux? If we get this accepted into Debian, Ubuntu
could sync the package, and there would less delta to maintain going forward.
[..]
> This says:
>
> Depends: login (>= 1:4.5-1.1~),
> + libcap2-bin (>= 1:2.32-1),
>
> Is there a specific reason for this specific libcap2-bin Version?
There is no specific reason. The package only needs to depend on libcap2-bin for
the setcap program only. The version I listed isn't completely arbitrary, it is
the version found in Ubuntu 20.04. But the specific version check isn't necessary.
It can be relaxed.
Thanks,
Matthew
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
