Bug#867747: rsyslog: /var/log/dmesg world-readable despite kernel.dmesg_restrict = 1

Pierre Ynard linkfanel at yahoo.fr
Thu Jan 24 10:17:08 GMT 2019

> Interesting. On my system `/var/log/dmesg' is 640, root:adm, which is
> quite restrictive. If I run `/etc/init.d/bootlogs' again, it stays so.
> But if I remove `/var/log/dmesg' and re-run `/etc/init.d/bootlogs',
> `/var/log/dmesg' becomes 644.
> I believe adjustment to `/etc/init.d/bootlogs' to check
> `kernel.dmesg_restrict' is needed. By the way, any ideas how could I
> have 640 `/var/log/dmesg' in first place?

initscripts's postinst script sets the permissions to 640 if the file
doesn't exist.

Setting /var/log/dmesg permissions according to kernel.dmesg_restrict
seems to make sense but I'm a bit skeptical. I suppose that the way it
keeps permissions set on it by the admin is both a bug and a feature.

Pierre Ynard

More information about the Debian-init-diversity mailing list