Bug#867747: rsyslog: /var/log/dmesg world-readable despite kernel.dmesg_restrict = 1
Dmitry Bogatov
KAction at debian.org
Tue Feb 5 16:15:47 GMT 2019
[2019-02-04 11:09] Javier M DAW <jmengomdaw at gmail.com>
> Would the attached patch do the trick? (/etc/init.d/bootlogs)
Thank you very much for your patch, but it seems that issue at hand
might need addition considerations, as pointed by Pierre in next email.
> --- a 2019-02-04 11:01:02.000000000 +0100
> +++ b 2019-02-04 11:03:45.000000000 +0100
> @@ -15,20 +15,62 @@
> [ "$DELAYLOGIN" ] || DELAYLOGIN=yes
> . /lib/init/vars.sh
>
> +# Source options
> +if [ -f /etc/default/bootlogs ]
> +then
> + . /etc/default/bootlogs
> +fi
> +[ "$LOGFILE_GROUP" ] || LOGFILE_GROUP="adm"
> +[ "$LOGFILE_MODE" ] || LOGFILE_MODE="640"
> +[ "$OBEY_DMESG_RESTRICT" ] || OBEY_DMESG_RESTRICT=no
> +[ "$LOGFILE_RESTRICT_MODE" ] || LOGFILE_RESTRICT_MODE="640"
> +
> +check_dmesg_restrict()
> +{
> + if [ `uname -s` = Linux ]
> + then
> + if which sysctl > /dev/null 2>&1
> + then
> + DMESG_RESTRICT=`sysctl -n kernel.dmesg_restrict`
> + else
> + DMESG_RESTRICT=`cat /proc/sys/kernel/dmesg_restrict`
> + fi
> + fi
> +
> +}
> +
> +update_logfile_perms () {
> + if [ "$OBEY_DMESG_RESTRICT" = yes ]
> + then
> + check_dmesg_restrict
> + if [ "$DMESG_RESTRICT" = 1 ]
> + then
> + TARGET_MODE="$LOGFILE_RESTRICT_MODE"
> + else
> + TARGET_MODE="$LOGFILE_MODE"
> + fi
> + else
> + TARGET_MODE="$LOGFILE_MODE"
> + fi
> +
> + chmod "$TARGET_MODE" /var/log/dmesg || :
> + chgrp "$LOGFILE_GROUP" /var/log/dmesg || :
> +}
> +
> do_start () {
> # Save kernel messages in /var/log/dmesg
> if which dmesg >/dev/null 2>&1
> then
> [ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
> dmesg -s 524288 > /var/log/dmesg
> - chgrp adm /var/log/dmesg || :
> + update_logfile_perms
> elif [ -c /dev/klog ]
> then
> [ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
> dd if=/dev/klog of=/var/log/dmesg &
> sleep 1
> kill $!
> - [ -f /var/log/dmesg ] && { chgrp adm /var/log/dmesg || : ; }
> + [ -f /var/log/dmesg ] && update_logfile_perms
> fi
> }
>
>
--
Note, that I send and fetch email in batch, once every 24 hours.
If matter is urgent, try https://t.me/kaction
--
More information about the Debian-init-diversity
mailing list