Per-system-call kernel-stack offset randomization
Per-system-call kernel-stack offset randomization
Posted Mar 30, 2020 17:14 UTC (Mon) by zdzichu (subscriber, #17118)In reply to: Per-system-call kernel-stack offset randomization by jimi
Parent article: Per-system-call kernel-stack offset randomization
config SECURITY_DMESG_RESTRICT
bool "Restrict unprivileged access to the kernel syslog"
default n
help
This enforces restrictions on unprivileged users reading the kernel
syslog via dmesg(8).
It's there for over 9 years.
Posted Mar 30, 2020 17:58 UTC (Mon)
by jimi (guest, #6655)
[Link] (2 responses)
So I'm left wondering, why not set the default to y? At least one distro runs with this restricted with no ill effects. What are the reasons to not restrict?
Posted Mar 30, 2020 19:07 UTC (Mon)
by madscientist (subscriber, #16861)
[Link] (1 responses)
Restricting access to important system information to root will just provide incentive to give root access to more things, which seems like an anti-pattern to me.
If dmesg output is really a security issue then of course something needs to be done, but some careful thought is appropriate.
Posted Mar 30, 2020 21:32 UTC (Mon)
by simcop2387 (subscriber, #101710)
[Link]
Posted Apr 6, 2020 16:42 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link]
Per-system-call kernel-stack offset randomization
Per-system-call kernel-stack offset randomization
Per-system-call kernel-stack offset randomization
Actually there's even a sysctl file: Per-system-call kernel-stack offset randomization
/proc/sys/kernel/dmesg_restrict.
It's can be toggled any time.