Bug#867747: rsyslog: /var/log/dmesg world-readable despite kernel.dmesg_restrict = 1

[Dmitry Bogatov]

[2019-02-07 17:08] Thorsten Glaser <t.glaser at tarent.de>
>
> part       text/plain                 869
> On Thu, 7 Feb 2019, Dmitry Bogatov wrote:
>
> > Hence, I refine my proposal -- create /var/log/dmesg as 640 in
> > initscripts, *only* if it does not already exists. Ignore
> > kernel.dmesg_restrict.
>
> +1

Here is patch, that solves issue at hand. Ideally, same logic should be
applied to fsck logs.

From 46c237df7999dc550289709f4955e787ddabaa55 Mon Sep 17 00:00:00 2001
From: Dmitry Bogatov <KAction at debian.org>
Date: Mon, 11 Feb 2019 03:32:09 +0000
Subject: [PATCH] Ensure predictable permission on /var/log/dmesg (Closes:
 #867747)

  * debian/initscripts.postinst: do not create `/var/log/dmesg' during
    package installation.

  * debian/src/initscripts/etc/init.d/bootlogs: create `/var/log/dmesg'
    with predicatable permissions, if not already present.

With this change, if /var/log/dmesg was removed for whatever reason,
it will be recreated with predictable permissions and ownership, instead of
recreated as root:root and permissions, depending on umask of
`/etc/init.d/bootlogs' script.
---
 debian/initscripts.postinst                |  2 +-
 debian/src/initscripts/etc/init.d/bootlogs | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/debian/initscripts.postinst b/debian/initscripts.postinst
index 2293045d..c6ac94d4 100755
--- a/debian/initscripts.postinst
+++ b/debian/initscripts.postinst
@@ -132,7 +132,7 @@ fi
 # Create initial log files
 #
 [ "$PREV_VER" ] || chmod 755 /var/log/fsck || :
-for F in /var/log/dmesg /var/log/fsck/checkroot /var/log/fsck/checkfs
+for F in /var/log/fsck/checkroot /var/log/fsck/checkfs
 do
 	if [ ! -f "$F" ] && touch "$F" >/dev/null 2>&1
 	then
diff --git a/debian/src/initscripts/etc/init.d/bootlogs b/debian/src/initscripts/etc/init.d/bootlogs
index 3ad7d8b5..686a2afb 100644
--- a/debian/src/initscripts/etc/init.d/bootlogs
+++ b/debian/src/initscripts/etc/init.d/bootlogs
@@ -16,19 +16,28 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin
 . /lib/init/vars.sh
 
 do_start () {
+	# If /var/log/dmesg exists, rotate it, otherwise touch it with
+	# reasonable default permsissions and ownership.
+	#
+	# savelog(8) preserves ownership and permissions, that were set by
+	# local system administrator.
+	if test -f /var/log/dmesg ; then
+		savelog -q -p -c 5 /var/log/dmesg
+	else
+		touch /var/log/dmesg
+		chown root:adm /var/log/dmesg
+		chmod 640 /var/log/dmesg
+	fi
+
 	# Save kernel messages in /var/log/dmesg
 	if which dmesg >/dev/null 2>&1
 	then
-		[ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
 		dmesg -s 524288 > /var/log/dmesg
-		chgrp adm /var/log/dmesg || :
 	elif [ -c /dev/klog ]
 	then
-		[ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
 		dd if=/dev/klog of=/var/log/dmesg &
 		sleep 1
 		kill $!
-		[ -f /var/log/dmesg ] && { chgrp adm /var/log/dmesg || : ; }
 	fi
 }
-- 
        Note, that I send and fetch email in batch, once every 24 hours.
                 If matter is urgent, try https://t.me/kaction
                                                                             --