FS#69168 - [util-linux] set /usr/bin/dmesg to adm group

Attached to Project: Arch Linux
Opened by John (graysky) - Friday, 01 January 2021, 12:13 GMT
Last edited by Toolybird (Toolybird) - Sunday, 11 June 2023, 07:45 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Now that we ship the default kernel with SECURITY_DMESG_RESTRICT enabled[1], regular users cannot execute dmesg without it ending in an error. This task is to request the util-linux package to limit access to the executable to a group to allow admins an easy way to grant specific users the ability to see dmesg output without directly invoking sudo or su - root.

The 'wheel' group could be an appropriate choice. Alternatively, we could use 'adm' or 'systemd-journal' as well.

Something like the following suggested by loqs[2] could be added to a $pkgbase.install:
chown root:wheel /usr/bin/dmesg
chmod 750 /usr/bin/dmesg
setcap cap_syslog=ep /usr/bin/dmesg

1. https://github.com/archlinux/svntogit-packages/commit/b78bc292e2218661a3b70163ec30711c87100941#diff-3e341d2d9c67be01819b25b25d5e53ea3cdf3a38d28846cda85a195eb9b7203a

2. https://bbs.archlinux.org/viewtopic.php?id=262222
This task depends upon

Closed by  Toolybird (Toolybird)
Sunday, 11 June 2023, 07:45 GMT
Reason for closing:  Won't implement
Additional comments about closing:  See comments from PM
Comment by Michel Koss (MichelKoss1) - Friday, 01 January 2021, 13:20 GMT
"regular users cannot execute dmesg without it ending in an error."

This is the point of this change. Tweaking file permissions is admins job not Arch packagers who are supposed to keep what upstream provides. Note that no other distro is doing such hacks and they restrict dmesg for years.

For troubled admins I would recommend to finally join this century and move over to journalctl -k. You may even make an alias for that in your shell.
Comment by Christian Hesse (eworm) - Friday, 01 January 2021, 20:23 GMT
I am not sure we really want this...
Comment by lukpod (lukpod) - Tuesday, 01 June 2021, 21:32 GMT Comment by John (graysky) - Friday, 04 June 2021, 10:45 GMT
If others are wanting this functionality, a simple pacman hook can do it. Drop the following in /etc/pacman.d/hooks/10-dmesg-fix.hook

[Trigger]
Operation = Upgrade
Type = Package
Target = util-linux

[Action]
Description = Fixing dmesg permissions...
When = PostTransaction
Exec = /bin/sh -c '/usr/bin/chown root:wheel /usr/bin/dmesg ; /usr/bin/chmod 750 /usr/bin/dmesg ; /usr/bin/setcap cap_syslog=ep /usr/bin/dmesg'
Comment by lukpod (lukpod) - Monday, 11 October 2021, 22:05 GMT
CAP_SYSLOG [1] on dmesg [2] would allow every user allowed to execute it more than just reading [3] without becoming root (entering password).

[1] https://man.archlinux.org/man/capabilities.7
[2] https://man.archlinux.org/man/dmesg.1
[3] https://man.archlinux.org/man/syslog.2

Loading...