Users in groups 'adm' and 'systemd-journal' can access all logs. xnox@chita:~$ journalctl -k Hint: You are currently not seeing messages from other users and the system. Users in groups 'adm', 'systemd-journal' can see all messages. Pass -q to turn off this notice. -- No entries -- xnox@chita:~$ id xnox uid=1000(xnox) gid=1000(xnox) groups=1000(xnox),27(sudo),110(lxd) xnox@chita:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial
Thus mere mortal users, not in the adm group cannot read dmesg. To further limit this, you need to copy /usr/lib/tmpfiles.d/systemd.conf into /etc/tmpfiles.d/ and remove the access you do not like. E.g. remove the pagaragph about adm group. ** Changed in: systemd (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1698144 Title: "journalctl -k" doesn't respect kernel.dmesg_restrict Status in systemd package in Ubuntu: Invalid Bug description: Steps to reproduce: 1) restrict dmesg to root only sudo kernel.dmesg_restrict=1 2) check that root can still get dmesg sudo dmesg 3) check a regular user cannot access dmesg and gets a denial dmesg 4) check with journalctl journalctl -k Here, journalctl should report a denial but instead if gives out the dmesg output thus bypassing the restriction. Issue description: On our systems, access to dmesg is restricted with kernel.dmesg_restrict=1 which works well: $ sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1 $ dmesg dmesg: read kernel buffer failed: Operation not permitted But "journalctl -k" lets anyone bypass that restriction: $ journalctl -k | wc -l 1035 Additional information: $ apt-cache policy systemd systemd: Installed: 229-4ubuntu17 Candidate: 229-4ubuntu17 Version table: *** 229-4ubuntu17 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 229-4ubuntu10 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 229-4ubuntu4 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages $ lsb_release -rd Description: Ubuntu 16.04.2 LTS Release: 16.04 ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: systemd 229-4ubuntu17 ProcVersionSignature: Ubuntu 4.4.0-80.101-generic 4.4.70 Uname: Linux 4.4.0-80-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.6 Architecture: amd64 CurrentDesktop: Unity CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Thu Jun 15 09:36:15 2017 InstallationDate: Installed on 2016-12-06 (190 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161206) MachineType: System76 Lemur ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-80-generic.efi.signed root=UUID=49432620-38ed-44bd-912a-7bc51eec3a35 ro quiet splash possible_cpus=4 nmi_watchdog=0 kaslr vsyscall=none vt.handoff=7 SourcePackage: systemd UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/17/2017 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 5.12 dmi.board.asset.tag: Tag 12345 dmi.board.name: Lemur dmi.board.vendor: System76 dmi.board.version: lemu7 dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: System76 dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr5.12:bd02/17/2017:svnSystem76:pnLemur:pvrlemu7:rvnSystem76:rnLemur:rvrlemu7:cvnSystem76:ct10:cvrN/A: dmi.product.name: Lemur dmi.product.version: lemu7 dmi.sys.vendor: System76 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1698144/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp