|
From: | Tobias Geerinckx-Rice |
Subject: | Re: We should disable dmesg for unprivileged users by default |
Date: | Wed, 17 Jul 2019 09:04:22 +0200 |
Alex, Alex Vong 写道:
I think we should set /proc/sys/kernel/dmesg_restrict to 1 by default to prevent unprivileged users from reading the kernel ring buffer (since itcould expose sensitive information about the system). Debian does this. I don't know about other distros.
I do this on all my Guix Systems by default; sounds good to me!Let's do it by setting CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel configuration: it changes the default /proc/sys/kernel/dmesg_restrict from 0 to 1, but still allows changing it later (I tried).
No overhead, no service whose only job is to flip an unwanted bit, no cmdline cruft.
Kind regards, T G-R
signature.asc
Description: PGP signature
[Prev in Thread] | Current Thread | [Next in Thread] |