Users in groups 'adm' and 'systemd-journal' can access all logs.
xnox@chita:~$ journalctl -k
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal' can see all messages.
Pass -q to turn off this notice.
-- No entries --
xnox@chita:~$ id xnox
uid=1000(xnox) gid=1000(xnox) groups=1000(xnox),27(sudo),110(lxd)
xnox@chita:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
Thus mere mortal users, not in the adm group cannot read dmesg.
To further limit this, you need to copy /usr/lib/tmpfiles.d/systemd.conf
into /etc/tmpfiles.d/ and remove the access you do not like. E.g. remove
the pagaragph about adm group.
** Changed in: systemd (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1698144
Title:
"journalctl -k" doesn't respect kernel.dmesg_restrict
Status in systemd package in Ubuntu:
Invalid
Bug description:
Steps to reproduce:
1) restrict dmesg to root only
sudo kernel.dmesg_restrict=1
2) check that root can still get dmesg
sudo dmesg
3) check a regular user cannot access dmesg and gets a denial
dmesg
4) check with journalctl
journalctl -k
Here, journalctl should report a denial but instead if gives out the
dmesg output thus bypassing the restriction.
Issue description:
On our systems, access to dmesg is restricted with
kernel.dmesg_restrict=1 which works well:
$ sysctl kernel.dmesg_restrict
kernel.dmesg_restrict = 1
$ dmesg
dmesg: read kernel buffer failed: Operation not permitted
But "journalctl -k" lets anyone bypass that restriction:
$ journalctl -k | wc -l
1035
Additional information:
$ apt-cache policy systemd
systemd:
Installed: 229-4ubuntu17
Candidate: 229-4ubuntu17
Version table:
*** 229-4ubuntu17 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
100 /var/lib/dpkg/status
229-4ubuntu10 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
229-4ubuntu4 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
$ lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: systemd 229-4ubuntu17
ProcVersionSignature: Ubuntu 4.4.0-80.101-generic 4.4.70
Uname: Linux 4.4.0-80-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
CurrentDesktop: Unity
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read
kernel buffer failed: Operation not permitted
Date: Thu Jun 15 09:36:15 2017
InstallationDate: Installed on 2016-12-06 (190 days ago)
InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64
(20161206)
MachineType: System76 Lemur
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-80-generic.efi.signed
root=UUID=49432620-38ed-44bd-912a-7bc51eec3a35 ro quiet splash possible_cpus=4
nmi_watchdog=0 kaslr vsyscall=none vt.handoff=7
SourcePackage: systemd
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 02/17/2017
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 5.12
dmi.board.asset.tag: Tag 12345
dmi.board.name: Lemur
dmi.board.vendor: System76
dmi.board.version: lemu7
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: System76
dmi.chassis.version: N/A
dmi.modalias:
dmi:bvnAmericanMegatrendsInc.:bvr5.12:bd02/17/2017:svnSystem76:pnLemur:pvrlemu7:rvnSystem76:rnLemur:rvrlemu7:cvnSystem76:ct10:cvrN/A:
dmi.product.name: Lemur
dmi.product.version: lemu7
dmi.sys.vendor: System76
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1698144/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
