FS#69168 - [util-linux] set /usr/bin/dmesg to adm group
Attached to Project:
Arch Linux
Opened by John (graysky) - Friday, 01 January 2021, 12:13 GMT
Last edited by Toolybird (Toolybird) - Sunday, 11 June 2023, 07:45 GMT
Opened by John (graysky) - Friday, 01 January 2021, 12:13 GMT
Last edited by Toolybird (Toolybird) - Sunday, 11 June 2023, 07:45 GMT
|
Details
Now that we ship the default kernel with
SECURITY_DMESG_RESTRICT enabled[1], regular users cannot
execute dmesg without it ending in an error. This task is to
request the util-linux package to limit access to the
executable to a group to allow admins an easy way to grant
specific users the ability to see dmesg output without
directly invoking sudo or su - root.
The 'wheel' group could be an appropriate choice. Alternatively, we could use 'adm' or 'systemd-journal' as well. Something like the following suggested by loqs[2] could be added to a $pkgbase.install: chown root:wheel /usr/bin/dmesg chmod 750 /usr/bin/dmesg setcap cap_syslog=ep /usr/bin/dmesg 1. https://github.com/archlinux/svntogit-packages/commit/b78bc292e2218661a3b70163ec30711c87100941#diff-3e341d2d9c67be01819b25b25d5e53ea3cdf3a38d28846cda85a195eb9b7203a 2. https://bbs.archlinux.org/viewtopic.php?id=262222 |
This task depends upon
Closed by Toolybird (Toolybird)
Sunday, 11 June 2023, 07:45 GMT
Reason for closing: Won't implement
Additional comments about closing: See comments from PM
Sunday, 11 June 2023, 07:45 GMT
Reason for closing: Won't implement
Additional comments about closing: See comments from PM
This is the point of this change. Tweaking file permissions is admins job not Arch packagers who are supposed to keep what upstream provides. Note that no other distro is doing such hacks and they restrict dmesg for years.
For troubled admins I would recommend to finally join this century and move over to journalctl -k. You may even make an alias for that in your shell.
https://gitlab.archlinux.org/pacman/pacman/-/blob/v6.0.0/NEWS#L18
https://gitlab.archlinux.org/pacman/pacman/-/blob/v6.0.0/NEWS#L35
https://gitlab.archlinux.org/pacman/pacman/-/commit/3a23abb2ec0c99d74719f97dcc9d097a105fe42b
https://gitlab.archlinux.org/pacman/pacman/-/commit/88d054093c1c99a697d95b26bd9aad5bc4d8e170
[Trigger]
Operation = Upgrade
Type = Package
Target = util-linux
[Action]
Description = Fixing dmesg permissions...
When = PostTransaction
Exec = /bin/sh -c '/usr/bin/chown root:wheel /usr/bin/dmesg ; /usr/bin/chmod 750 /usr/bin/dmesg ; /usr/bin/setcap cap_syslog=ep /usr/bin/dmesg'
[1] https://man.archlinux.org/man/capabilities.7
[2] https://man.archlinux.org/man/dmesg.1
[3] https://man.archlinux.org/man/syslog.2