Bug#867747: rsyslog: /var/log/dmesg world-readable despite kernel.dmesg_restrict = 1
Javier M DAW
jmengomdaw at gmail.com
Mon Feb 4 10:09:58 GMT 2019
Would the attached patch do the trick? (/etc/init.d/bootlogs)
--- a 2019-02-04 11:01:02.000000000 +0100
+++ b 2019-02-04 11:03:45.000000000 +0100
@@ -15,20 +15,62 @@
[ "$DELAYLOGIN" ] || DELAYLOGIN=yes
. /lib/init/vars.sh
+# Source options
+if [ -f /etc/default/bootlogs ]
+then
+ . /etc/default/bootlogs
+fi
+[ "$LOGFILE_GROUP" ] || LOGFILE_GROUP="adm"
+[ "$LOGFILE_MODE" ] || LOGFILE_MODE="640"
+[ "$OBEY_DMESG_RESTRICT" ] || OBEY_DMESG_RESTRICT=no
+[ "$LOGFILE_RESTRICT_MODE" ] || LOGFILE_RESTRICT_MODE="640"
+
+check_dmesg_restrict()
+{
+ if [ `uname -s` = Linux ]
+ then
+ if which sysctl > /dev/null 2>&1
+ then
+ DMESG_RESTRICT=`sysctl -n kernel.dmesg_restrict`
+ else
+ DMESG_RESTRICT=`cat /proc/sys/kernel/dmesg_restrict`
+ fi
+ fi
+
+}
+
+update_logfile_perms () {
+ if [ "$OBEY_DMESG_RESTRICT" = yes ]
+ then
+ check_dmesg_restrict
+ if [ "$DMESG_RESTRICT" = 1 ]
+ then
+ TARGET_MODE="$LOGFILE_RESTRICT_MODE"
+ else
+ TARGET_MODE="$LOGFILE_MODE"
+ fi
+ else
+ TARGET_MODE="$LOGFILE_MODE"
+ fi
+
+ chmod "$TARGET_MODE" /var/log/dmesg || :
+ chgrp "$LOGFILE_GROUP" /var/log/dmesg || :
+}
+
do_start () {
# Save kernel messages in /var/log/dmesg
if which dmesg >/dev/null 2>&1
then
[ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
dmesg -s 524288 > /var/log/dmesg
- chgrp adm /var/log/dmesg || :
+ update_logfile_perms
elif [ -c /dev/klog ]
then
[ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
dd if=/dev/klog of=/var/log/dmesg &
sleep 1
kill $!
- [ -f /var/log/dmesg ] && { chgrp adm /var/log/dmesg || : ; }
+ [ -f /var/log/dmesg ] && update_logfile_perms
fi
}
More information about the Debian-init-diversity
mailing list