Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#69168 - [util-linux] set /usr/bin/dmesg to adm group

Attached to Project: Arch Linux
Opened by John (graysky) - Friday, 01 January 2021, 12:13 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 01 January 2021, 14:20 GMT
Task Type Feature Request
Category Packages: Core
Status Assigned
Assigned To Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 5
Private No

Details

Now that we ship the default kernel with SECURITY_DMESG_RESTRICT enabled[1], regular users cannot execute dmesg without it ending in an error. This task is to request the util-linux package to limit access to the executable to a group to allow admins an easy way to grant specific users the ability to see dmesg output without directly invoking sudo or su - root.

The 'wheel' group could be an appropriate choice. Alternatively, we could use 'adm' or 'systemd-journal' as well.

Something like the following suggested by loqs[2] could be added to a $pkgbase.install:
chown root:wheel /usr/bin/dmesg
chmod 750 /usr/bin/dmesg
setcap cap_syslog=ep /usr/bin/dmesg

1. https://github.com/archlinux/svntogit-packages/commit/b78bc292e2218661a3b70163ec30711c87100941#diff-3e341d2d9c67be01819b25b25d5e53ea3cdf3a38d28846cda85a195eb9b7203a

2. https://bbs.archlinux.org/viewtopic.php?id=262222
This task depends upon

Comment by Michel Koss (MichelKoss1) - Friday, 01 January 2021, 13:20 GMT
"regular users cannot execute dmesg without it ending in an error."

This is the point of this change. Tweaking file permissions is admins job not Arch packagers who are supposed to keep what upstream provides. Note that no other distro is doing such hacks and they restrict dmesg for years.

For troubled admins I would recommend to finally join this century and move over to journalctl -k. You may even make an alias for that in your shell.
Comment by Christian Hesse (eworm) - Friday, 01 January 2021, 20:23 GMT
I am not sure we really want this...

Loading...