CONFIG_SECURITY_DMESG_RESTRICT differences
Hi all, I just found that I could not do "dmesg" as normal user in a Leap 15.3 installation. I'm used to be able to do this from my Factory machines. Investigation showed, that Leap's kernel sets CONFIG_SECURITY_DMESG_RESTRICT=y while the Factory kernel (at least kernel-vanilla and kernel-default from Kernel:HEAD) does not. I do not care which default is chosen, but for consistency I'd suggest to settle for one of the two possible options ;-) Have fun, -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
On Sat, Jan 29, 2022 at 05:37:48PM +0100, Stefan Seyfried wrote:
Hi all,
I just found that I could not do "dmesg" as normal user in a Leap 15.3 installation. I'm used to be able to do this from my Factory machines.
Investigation showed, that Leap's kernel sets CONFIG_SECURITY_DMESG_RESTRICT=y while the Factory kernel (at least kernel-vanilla and kernel-default from Kernel:HEAD) does not.
I do not care which default is chosen, but for consistency I'd suggest to settle for one of the two possible options ;-)
FWIW, the reason is that Leap 15.3 now uses the SLES 15 SP3 kernel directly, and that is locked down in this regard. I fear Tumbleweed is different to that. Perhaps we can also enable it for Tumbleweed? Ciao, Marcus
On Sat, Jan 29, 2022 at 05:54:17PM +0100, Marcus Meissner wrote:
On Sat, Jan 29, 2022 at 05:37:48PM +0100, Stefan Seyfried wrote:
Hi all,
I just found that I could not do "dmesg" as normal user in a Leap 15.3 installation. I'm used to be able to do this from my Factory machines.
Investigation showed, that Leap's kernel sets CONFIG_SECURITY_DMESG_RESTRICT=y while the Factory kernel (at least kernel-vanilla and kernel-default from Kernel:HEAD) does not.
I do not care which default is chosen, but for consistency I'd suggest to settle for one of the two possible options ;-)
FWIW, the reason is that Leap 15.3 now uses the SLES 15 SP3 kernel directly, and that is locked down in this regard.
I fear Tumbleweed is different to that.
Perhaps we can also enable it for Tumbleweed?
For the record, this was already discussed in bsc#1157066 after the value had been changed by accident. We reverted the change (in Tumbleweed) but only because the restriction was added by accident rather than as a conscious decision. My take from the bugzilla discussion was that nobody really cares too much. Michal
On 2022-01-31 18:20, Michal Kubecek wrote:
On Sat, Jan 29, 2022 at 05:54:17PM +0100, Marcus Meissner wrote:
On Sat, Jan 29, 2022 at 05:37:48PM +0100, Stefan Seyfried wrote:
Hi all,
I just found that I could not do "dmesg" as normal user in a Leap 15.3 installation. I'm used to be able to do this from my Factory machines.
Investigation showed, that Leap's kernel sets CONFIG_SECURITY_DMESG_RESTRICT=y while the Factory kernel (at least kernel-vanilla and kernel-default from Kernel:HEAD) does not.
I do not care which default is chosen, but for consistency I'd suggest to settle for one of the two possible options ;-)
FWIW, the reason is that Leap 15.3 now uses the SLES 15 SP3 kernel directly, and that is locked down in this regard.
I fear Tumbleweed is different to that.
Perhaps we can also enable it for Tumbleweed?
For the record, this was already discussed in bsc#1157066 after the value had been changed by accident. We reverted the change (in Tumbleweed) but only because the restriction was added by accident rather than as a conscious decision. My take from the bugzilla discussion was that nobody really cares too much.
Well, it means that when aiding some newby with a problem and we tell him to look at dmesg output, we will also need to tell him to use sudo or su. No big deal, but it is something to remember as it changes the procedure used for decades. Maybe it is more secure. Dunno. I thought that SLE has decided this change for the improved security (aka secrecy) it means ;-) -- Cheers / Saludos, Carlos E. R. (from 15.3 x86_64 at Telcontar)
Hi Michal, On 31.01.22 18:20, Michal Kubecek wrote:
On Sat, Jan 29, 2022 at 05:54:17PM +0100, Marcus Meissner wrote:
On Sat, Jan 29, 2022 at 05:37:48PM +0100, Stefan Seyfried wrote:
I do not care which default is chosen, but for consistency I'd suggest to settle for one of the two possible options ;-)
FWIW, the reason is that Leap 15.3 now uses the SLES 15 SP3 kernel directly, and that is locked down in this regard.
I fear Tumbleweed is different to that.
Perhaps we can also enable it for Tumbleweed?
For the record, this was already discussed in bsc#1157066 after the value had been changed by accident. We reverted the change (in Tumbleweed) but only because the restriction was added by accident rather than as a conscious decision. My take from the bugzilla discussion was that nobody really cares too much.
As I already wrote: I personally don't care too much which default is chosen, but personally I prefer some consistency across different openSUSE installations ;-) (in my case, I'd probably just add the sysctl to disable the added security feature to my usual post-install routine :-) I was just surprised when I found out that I couldn't use dmesg (debian style) on Leap, while I use it all the time on Factory. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
participants (4)
-
Carlos E. R.
-
Marcus Meissner
-
Michal Kubecek
-
Stefan Seyfried