Bug#867747: rsyslog: /var/log/dmesg world-readable despite kernel.dmesg_restrict = 1

Dmitry Bogatov KAction at debian.org
Tue Feb 5 16:15:47 GMT 2019 

[2019-02-04 11:09] Javier M DAW <jmengomdaw at gmail.com>
> Would the attached patch do the trick? (/etc/init.d/bootlogs)

Thank you very much for your patch, but it seems that issue at hand
might need addition considerations, as pointed by Pierre in next email.

> --- a    2019-02-04 11:01:02.000000000 +0100
> +++ b    2019-02-04 11:03:45.000000000 +0100
> @@ -15,20 +15,62 @@
>  [ "$DELAYLOGIN" ] || DELAYLOGIN=yes
>  . /lib/init/vars.sh
>
> +# Source options
> +if [ -f /etc/default/bootlogs ]
> +then
> +    . /etc/default/bootlogs
> +fi
> +[ "$LOGFILE_GROUP" ] || LOGFILE_GROUP="adm"
> +[ "$LOGFILE_MODE" ] || LOGFILE_MODE="640"
> +[ "$OBEY_DMESG_RESTRICT" ] || OBEY_DMESG_RESTRICT=no
> +[ "$LOGFILE_RESTRICT_MODE" ] || LOGFILE_RESTRICT_MODE="640"
> +
> +check_dmesg_restrict()
> +{
> +    if [ `uname -s` = Linux ]
> +    then
> +        if which sysctl > /dev/null 2>&1
> +        then
> +            DMESG_RESTRICT=`sysctl -n kernel.dmesg_restrict`
> +        else
> +            DMESG_RESTRICT=`cat /proc/sys/kernel/dmesg_restrict`
> +        fi
> +    fi
> +
> +}
> +
> +update_logfile_perms () {
> +    if  [ "$OBEY_DMESG_RESTRICT" = yes ]
> +    then
> +            check_dmesg_restrict
> +            if [ "$DMESG_RESTRICT" = 1 ]
> +        then
> +            TARGET_MODE="$LOGFILE_RESTRICT_MODE"
> +        else
> +            TARGET_MODE="$LOGFILE_MODE"
> +        fi
> +    else
> +        TARGET_MODE="$LOGFILE_MODE"
> +    fi
> +
> +    chmod "$TARGET_MODE" /var/log/dmesg || :
> +    chgrp "$LOGFILE_GROUP" /var/log/dmesg || :
> +}
> +
>  do_start () {
>      # Save kernel messages in /var/log/dmesg
>      if which dmesg >/dev/null 2>&1
>      then
>          [ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
>          dmesg -s 524288 > /var/log/dmesg
> -        chgrp adm /var/log/dmesg || :
> +        update_logfile_perms
>      elif [ -c /dev/klog ]
>      then
>          [ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
>          dd if=/dev/klog of=/var/log/dmesg &
>          sleep 1
>          kill $!
> -        [ -f /var/log/dmesg ] && { chgrp adm /var/log/dmesg || : ; }
> +        [ -f /var/log/dmesg ] && update_logfile_perms
>      fi
>  }
>
>
-- 
        Note, that I send and fetch email in batch, once every 24 hours.
                 If matter is urgent, try https://t.me/kaction
                                                                             --

More information about the Debian-init-diversity mailing list