On Mon, Mar 04, 2024 at 11:37:49PM -0700, Chris Murphy wrote: > > > On Wed, Feb 28, 2024, at 6:45 AM, Peter Robinson wrote: > > On Wed, 28 Feb 2024 at 13:38, Barry Scott <barry@xxxxxxxxxxxxxxxx> wrote: > >> > >> > >> > >> On 28 Feb 2024, at 10:24, Karel Zak <kzak@xxxxxxxxxx> wrote: > >> > >> You can restore the original behavior by using: > >> > >> # sysctl kernel.dmesg_restrict=0 > >> > >> However, be aware of the security consequences ;-) > >> > >> > >> Given I can get the same information from journalctl -k what is the improvement? > > > > I believe you need to be in the wheel group to get that info from > > journalctl > > I'm in the wheel group as is everyone else by default installing Fedora. A vast majority of Fedora users have this peculiar UX where `journalctl -k` not not require `sudo` but `dmesg` does require it. I think that's annoying and weird. That is true. But please note that there's a huge list of processes that are not in the wheel group: e.g. any random service on the system that is running unprivileged. Previously, it would have access to dmesg, possibly making it easier to escalate some vulnerability to full root access. With this change, dmesg becomes unavailable so extracting information about the running kernel is harder. Zbyszek -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
