Bug#867747: rsyslog: /var/log/dmesg world-readable despite kernel.dmesg_restrict = 1
Dmitry Bogatov
KAction at debian.org
Thu Feb 7 15:23:48 GMT 2019
[2019-02-05 17:28] Thorsten Glaser <t.glaser at tarent.de>
> > As I understand situation, I favor second option. So question is would
> > anybody be unhappy, if initscripts will override manual `chown/chmod' on
> > logs, created by initscripts.
>
> Yes.
>
> It’s fine to adjust permissions on first install, and 0640 root:adm
> are sensible defaults, but to change whatever the local admin then
> decides is not acceptable. (I think there’s a policy somewhere for
> this, even.)
This is how things are done now. At debian/initscripts.posting:135,
if /var/log/dmesg does not exists, it is touched with 640, root:adm,
permissions are preserved by `savelog -p'.
But if /var/log/dmesg gets removed, on next boot it will be recreated
with another default -- 644. I believe, this is how submitter got
world-readable /var/log/dmesg.
Hence, I refine my proposal -- create /var/log/dmesg as 640 in
initscripts, *only* if it does not already exists. Ignore
kernel.dmesg_restrict.
More objections?
--
Note, that I send and fetch email in batch, once every 24 hours.
If matter is urgent, try https://t.me/kaction
--
More information about the Debian-init-diversity
mailing list