As per my most recent email to ubuntu-devel, I am marking the changes to util-linux as Won't Fix.
Relevant mailing list discussion (for future reference): Ansgar responded on debian-devel mentioning that adding cap_syslog to dmesg enables the user to clear the kernel log buffer: https://lists.debian.org/debian-devel/2020/08/msg00121.html>> > That grants additional rights to the `adm` group that it did not have > before, for example to clear the dmesg buffer: > > $ dmesg --clear > > works after adding `cap_syslog` to the dmesg binary whereas it did not > work before. Chris Hofstaedtler, the maintainer of util-linux, mentions that granting such powers to members of adm is more or less unacceptable: https://lists.ubuntu.com/archives/ubuntu-devel/2020-August/041151.html > Re-enabling dmesg for the %adm group does not seem to add value for > Debian now, and granting the --clear (and other) permissions seems > to be too much. This was further acked by Steve Langasek: https://lists.ubuntu.com/archives/ubuntu-devel/2020-August/041152.html > I agree, and on that basis I also do not believe we should include this > change to util-linux in Ubuntu. Because of this, I will no longer pursue opening dmesg up to users in the adm group, or at least until cap_syslog gets a read-only sister capability. Hopefully Ubuntu users won't be too inconvenienced by having to run dmesg as superuser. Users can always turn off the behaviour, by setting "kernel.dmesg_restrict = 0" in /etc/sysctl.d/10-kernel-hardening.conf ** Changed in: util-linux (Ubuntu Groovy) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886112 Title: Enabling DMESG_RESTRICT in Groovy Onward To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886112/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
