On 17/3/25 09:38, Todd Zullinger wrote:
Stephen Morris wrote:
Just a query first off, why do I need to run dmesg under sudo for it to
produce its output?
In Fedora 39 (or there about), the CONFIG_SECURITY_DMESG_RESTRICT kernel
config was changed. The commit in the Fedora kernel source tree
provides some useful details¹:
Turn on SECURITY_DMESG_RESTRICT
It was requested by ProdSec that we enable SECURITY_DMESG_RESTRICT
as this makes several security bugs more difficult to exploit. It
should be noted that this just controls the default setting of
kernel.dmesg_restrict sysctl and thus can be always set back to 0 at
runtime. Users in the wheel group also have access to journalctl -k
or sudo for dmesg access without giving it to every user on the
system.
¹ https://gitlab.com/cki-project/kernel-ark/-/commit/ed5ba266c6
Thanks Todd, it's been quite a while since I've used DMESG, but I don't
remember ever having to use sudo with it, nor do I remember ever seeing
the message about kernel buffer access being denied, but it just means I
will now have to always remember to use sudo with it. Although logically
it doesn't make sense to me, it is only a read so what damage can a read
do, but then there are also folders under /etc that you can't issue an
LS against without sudo, so I guess it's just the same thing.
regards,
Steve
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
