Public bug reported:
Steps to reproduce:
1) restrict dmesg to root only
sudo kernel.dmesg_restrict=1
2) check that root can still get dmesg
sudo dmesg
3) check a regular user cannot access dmesg and gets a denial
dmesg
4) check with journalctl
journalctl -k
Here, journalctl should report a denial but instead if gives out the
dmesg output thus bypassing the restriction.
Issue description:
On our systems, access to dmesg is restricted with
kernel.dmesg_restrict=1 which works well:
$ sysctl kernel.dmesg_restrict
kernel.dmesg_restrict = 1
$ dmesg
dmesg: read kernel buffer failed: Operation not permitted
But "journalctl -k" lets anyone bypass that restriction:
$ journalctl -k | wc -l
1035
Additional information:
$ apt-cache policy systemd
systemd:
Installed: 229-4ubuntu17
Candidate: 229-4ubuntu17
Version table:
*** 229-4ubuntu17 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
229-4ubuntu10 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
229-4ubuntu4 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
$ lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: systemd 229-4ubuntu17
ProcVersionSignature: Ubuntu 4.4.0-80.101-generic 4.4.70
Uname: Linux 4.4.0-80-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
CurrentDesktop: Unity
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read
kernel buffer failed: Operation not permitted
Date: Thu Jun 15 09:36:15 2017
InstallationDate: Installed on 2016-12-06 (190 days ago)
InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64
(20161206)
MachineType: System76 Lemur
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-80-generic.efi.signed
root=UUID=49432620-38ed-44bd-912a-7bc51eec3a35 ro quiet splash possible_cpus=4
nmi_watchdog=0 kaslr vsyscall=none vt.handoff=7
SourcePackage: systemd
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 02/17/2017
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 5.12
dmi.board.asset.tag: Tag 12345
dmi.board.name: Lemur
dmi.board.vendor: System76
dmi.board.version: lemu7
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: System76
dmi.chassis.version: N/A
dmi.modalias:
dmi:bvnAmericanMegatrendsInc.:bvr5.12:bd02/17/2017:svnSystem76:pnLemur:pvrlemu7:rvnSystem76:rnLemur:rvrlemu7:cvnSystem76:ct10:cvrN/A:
dmi.product.name: Lemur
dmi.product.version: lemu7
dmi.sys.vendor: System76
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug third-party-packages xenial
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1698144
Title:
"journalctl -k" doesn't respect kernel.dmesg_restrict
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1698144/+subscriptions
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
