Bug 653245

Summary: kernel: restrict unprivileged access to kernel syslog [rhel-6.1]
Product: Red Hat Enterprise Linux 6 Reporter: Eugene Teo (Security Response) <eteo>
Component: kernelAssignee: Frantisek Hrbata <fhrbata>
Status: CLOSED ERRATA QA Contact: Petr Beňas <pbenas>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: arozansk, dhoward, dtian, fhrbata, lwang, pbenas, plougher, pstehlik, snagar
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-2.6.32-112.el6 Doc Type: Bug Fix
Doc Text:
The kernel syslog contains debugging information that is often useful during exploitation of other vulnerabilities such as kernel heap addresses. With this update, a new CONFIG_SECURITY_DMESG_RESTRICT option has been added to config-generic-rhel which prevents unprivileged users from reading the kernel syslog. This option is by default turned off (0), which means no restrictions.
 Story Points: ---
Clone Of:
: 653250 653252 653254 (view as bug list) Environment:
Last Closed: 2011-05-23 20:29:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 653250, 653252, 653254, 683822    

Description Eugene Teo (Security Response) 2010-11-15 04:06:10 UTC 
Description of problem:
The kernel syslog contains debugging information that is often useful during exploitation of other vulnerabilities, such as kernel heap addresses.  Rather than futilely attempt to sanitize hundreds (or thousands) of printk statements and simultaneously cripple useful debugging functionality, it is far simpler to create an option that prevents unprivileged users from reading the syslog.
    
This patch, loosely based on grsecurity's GRKERNSEC_DMESG, creates the dmesg_restrict sysctl.  When set to "0", the default, no restrictions are enforced.  When set to "1", only users with CAP_SYS_ADMIN can read the kernel syslog via dmesg(8) or other mechanisms.

Upstream commit:
http://git.kernel.org/linus/eaf06b241b091357e72b76863ba16e89610d31bd
Comment 2 Aristeu Rozanski 2011-02-03 15:38:02 UTC 
Patch(es) available on kernel-2.6.32-112.el6
Comment 6 Petr Beňas 2011-02-21 12:14:32 UTC 
Reproduced in 2.6.32-94.el6.x86_64 and verified in 2.6.32-109.el6.x86_64.
Comment 9 Martin Prpič 2011-04-12 12:47:29 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The kernel syslog contains debugging information that is often useful during exploitation of other vulnerabilities such as kernel heap addresses. With this update, a new CONFIG_SECURITY_DMESG_RESTRICT option has been added to config-generic-rhel which prevents unprivileged users from reading the kernel syslog. This option is by default turned off (0), which means no restrictions.
Comment 12 errata-xmlrpc 2011-05-23 20:29:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0542.html