Re: We should disable dmesg for unprivileged users by default

[Tobias Geerinckx-Rice]

Alex,

Alex Vong 写道：
> I think we should set /proc/sys/kernel/dmesg_restrict to 1 by 
> default to
> prevent unprivileged users from reading the kernel ring buffer 
> (since it
> could expose sensitive information about the system).
>
> Debian does this. I don't know about other distros.

I do this on all my Guix Systems by default; sounds good to me!

Let's do it by setting CONFIG_SECURITY_DMESG_RESTRICT=y in the 
kernel configuration: it changes the default 
/proc/sys/kernel/dmesg_restrict from 0 to 1, but still allows 
changing it later (I tried).

No overhead, no service whose only job is to flip an unwanted bit, 
no cmdline cruft.

Kind regards,

T G-R

signature.asc
Description: PGP signature