[Bug 1912122] [NEW] /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions

Matthew Ruffell 1912122 at bugs.launchpad.net
Mon Jan 18 00:33:34 UTC 2021 

Public bug reported:

[Impact]

In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu
kernel starting with Groovy and onward, in an effort to restrict access
to the kernel log buffer from unprivileged users.

It seems we have overlooked /var/log/dmesg, as it is still mode 0644,
while /var/log/kern.log, /var/log/syslog are all 0640:

$ ll /var/log
-rw-r--r--   1 root              adm                 81768 Jan 18 09:09 dmesg
-rw-r-----   1 syslog            adm                 24538 Jan 18 13:05 kern.log
-rw-r-----   1 syslog            adm                213911 Jan 18 13:22 syslog

Change /var/log/dmesg to 0640 to close the information leak.

[Testcase]

$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
[    0.000000] kernel: Linux version 5.8.0-36-generic (buildd at lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18)
[    0.000000] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---

If you install the package in the following ppa:

$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
cat: /var/log/dmesg: Permission denied

[Where problems could occur]

Some users or log scraper programs might need to view the kernel log
buffers, and in this case, their underlying service accounts should be
added to the 'adm' group.

** Affects: rsyslog (Ubuntu)
     Importance: Medium
     Assignee: Matthew Ruffell (mruffell)
         Status: In Progress

** Affects: rsyslog (Ubuntu Groovy)
     Importance: Undecided
         Status: New

** Affects: rsyslog (Ubuntu Hirsute)
     Importance: Medium
     Assignee: Matthew Ruffell (mruffell)
         Status: In Progress

** Also affects: rsyslog (Ubuntu Groovy)
   Importance: Undecided
       Status: New

** Also affects: rsyslog (Ubuntu Hirsute)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1912122

Title:
  /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT
  restrictions

Status in rsyslog package in Ubuntu:
  In Progress
Status in rsyslog source package in Groovy:
  New
Status in rsyslog source package in Hirsute:
  In Progress

Bug description:
  [Impact]

  In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the
  Ubuntu kernel starting with Groovy and onward, in an effort to
  restrict access to the kernel log buffer from unprivileged users.

  It seems we have overlooked /var/log/dmesg, as it is still mode 0644,
  while /var/log/kern.log, /var/log/syslog are all 0640:

  $ ll /var/log
  -rw-r--r--   1 root              adm                 81768 Jan 18 09:09 dmesg
  -rw-r-----   1 syslog            adm                 24538 Jan 18 13:05 kern.log
  -rw-r-----   1 syslog            adm                213911 Jan 18 13:22 syslog

  Change /var/log/dmesg to 0640 to close the information leak.

  [Testcase]

  $ sudo adduser dave
  $ su dave
  $ groups
  dave
  $ cat /var/log/kern.log
  cat: /var/log/kern.log: Permission denied
  $ cat /var/log/syslog
  cat: /var/log/syslog: Permission denied
  $ cat /var/log/dmesg
  [    0.000000] kernel: Linux version 5.8.0-36-generic (buildd at lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18)
  [    0.000000] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---

  If you install the package in the following ppa:

  $ sudo adduser dave
  $ su dave
  $ groups
  dave
  $ cat /var/log/kern.log
  cat: /var/log/kern.log: Permission denied
  $ cat /var/log/syslog
  cat: /var/log/syslog: Permission denied
  $ cat /var/log/dmesg
  cat: /var/log/dmesg: Permission denied

  [Where problems could occur]

  Some users or log scraper programs might need to view the kernel log
  buffers, and in this case, their underlying service accounts should be
  added to the 'adm' group.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions

More information about the foundations-bugs mailing list