[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: We should disable dmesg for unprivileged users by default
|
From: |
Alex Vong |
|
Subject: |
Re: We should disable dmesg for unprivileged users by default |
|
Date: |
Wed, 17 Jul 2019 06:58:11 +0800 |
|
User-agent: |
mu4e 1.2.0; emacs 26.2 |
Hello,
Ricardo Wurmus writes:
> Ludovic Courtès <address@hidden> writes:
>
>> Hi,
>>
>> Alex Vong <address@hidden> skribis:
>>
>>> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to
>>> prevent unprivileged users from reading the kernel ring buffer (since it
>>> could expose sensitive information about the system).
>>
>> We could have a ‘dmesg-restrict’ service that would write to that file
>> as part of system activation, and we’d add it to ‘%base-packages’.
>> WDYT?
>
> This sounds good!
I just find out there are at least 2 other ways to set kernel
parameters. One is to append the line "kernel.dmesg_restrict=1" to the file
"/etc/sysctl.conf". The other way is to run the command
"sudo sysctl -w kernel.dmesg_restrict=1". It appears to me that writing
to "/etc/sysctl.conf" is better (since it is declarative). WDYT? What is
our current way of setting kernel parameters?
signature.asc
Description: PGP signature