[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
This bug was fixed in the package rsyslog - 8.2010.0-1ubuntu2 --- rsyslog (8.2010.0-1ubuntu2) hirsute; urgency=medium * debian/dmesg.service: Change /var/log/dmesg from 0644 to 0640 to adhere to new DMESG_RESTRICT restrictions. (LP: #1912122) -- Matthew Ruffell Mon, 18 Jan 2021 13:34:48 +1300 ** Changed in: rsyslog (Ubuntu Hirsute) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: Fix Released Status in rsyslog source package in Groovy: Won't Fix Status in rsyslog source package in Hirsute: Fix Released Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Hi Robie, I agree this probably isn't worth a SRU to Groovy, I just made the packages available in the odd chance that they might be considered. I will mark Groovy as won't fix. Hirsute is what really matters in the end. ** Changed in: rsyslog (Ubuntu Groovy) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: Won't Fix Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Is this really worth an SRU to Groovy? One could consider the change to be fully implemented since Hirsute only, and Groovy will EOL before long anyway. Otherwise there's a risk that we'll break users' existing automation that is already live against Groovy. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Thanks @mruffell! uploaded to g/h, with trivial modification of changing the g version bump; for stable releases, ubuntuN should change to ubuntuN.1 instead of ubuntuN+1. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Attached is a patch which changes /var/log/dmesg to 0640 on groovy. It also contains Steve's recommendation to set the logrotate files to 0640. ** Patch added: "Debdiff for syslog on groovy" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454311/+files/lp1912122_groovy_v2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Attached is a patch which changes /var/log/dmesg to 0640 on hirsute. It also contains Steve's recommendation to set the logrotate files to 0640. ** Patch removed: "Debdiff for rsyslog on hirsute" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454004/+files/lp1912122_hirsute.debdiff ** Patch removed: "Debdiff for syslog on groovy" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454005/+files/lp1912122_groovy.debdiff ** Patch added: "Debdiff for rsyslog on hirsute" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454310/+files/lp1912122_hirsute_v2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Oh, I was expecting that it would also be desirable to SRU this back to focal, as I expected CONFIG_SECURITY_DMESG_RESTRICT to come back with the HWE kernels, but looking at the config for linux-hwe-5.8, it appears that the old behavior was kept. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
The Ubuntu Security team would like to see this fixed, though it probably would be worth adding the following change to the service file so that on log rotation the permissions are corrected as well: -ExecStartPre=-/usr/bin/savelog -q -p -n -c 5 /var/log/dmesg +ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg Thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
The attachment "Debdiff for rsyslog on hirsute" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
** Tags added: sts-sponsor -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Attached is a debdiff for Groovy to change /var/log/dmesg to 0640. ** Patch added: "Debdiff for syslog on groovy" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454005/+files/lp1912122_groovy.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Attached is a debdiff for hirsute to set /var/log/dmesg to 0640. ** Patch added: "Debdiff for rsyslog on hirsute" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454004/+files/lp1912122_hirsute.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
** Tags added: sts -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
** Changed in: rsyslog (Ubuntu Hirsute) Status: New => In Progress ** Changed in: rsyslog (Ubuntu Hirsute) Importance: Undecided => Medium ** Changed in: rsyslog (Ubuntu Hirsute) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Description changed: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: + https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test + + $ sudo systemctl daemon-reload + $ sudo systemctl start dmesg.service + $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. ** Changed in: rsyslog (Ubuntu Groovy) Status: New => In Progress ** Changed in: rsyslog (Ubuntu Groovy) Importance: Undecided => Medium ** Changed in: rsyslog (Ubuntu Groovy) Assignee: (unassigned) => Matthew Ruffell (mruffell) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Groovy: In Progress Status in rsyslog source package in Hirsute: In Progress Bug description: [Impact] In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users. It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640: $ ll /var/log -rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg -rw-r- 1 syslogadm 24538 Jan 18 13:05 kern.log -rw-r- 1 syslogadm213911 Jan 18 13:22 syslog Change /var/log/dmesg to 0640 to close the information leak. [Testcase] $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg [0.00] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18) [0.00] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- If you install the package in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test $ sudo systemctl daemon-reload $ sudo systemctl start dmesg.service $ sudo adduser dave $ su dave $ groups dave $ cat /var/log/kern.log cat: /var/log/kern.log: Permission denied $ cat /var/log/syslog cat: /var/log/syslog: Permission denied $ cat /var/log/dmesg cat: /var/log/dmesg: Permission denied [Where problems could occur] Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. To manage notifications about this bug go to:
