Bug 653250

Summary: kernel: restrict unprivileged access to kernel syslog [rhel-5.6]
Product: Red Hat Enterprise Linux 5 Reporter: Eugene Teo (Security Response) <eteo>
Component: kernelAssignee: Frantisek Hrbata <fhrbata>
Status: CLOSED ERRATA QA Contact: Mike Gahagan <mgahagan>
Severity: high Docs Contact:
Priority: high    
Version: 5.6CC: cww, dhoward, jarod, jpirko, lwang, plyons
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 653245 Environment:
Last Closed: 2011-01-13 22:00:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 653245, 653252, 653254    
Bug Blocks: 658886    

Description Eugene Teo (Security Response) 2010-11-15 04:19:42 UTC 
+++ This bug was initially created as a clone of Bug #653245 +++

Description of problem:
The kernel syslog contains debugging information that is often useful during exploitation of other vulnerabilities, such as kernel heap addresses.  Rather than futilely attempt to sanitize hundreds (or thousands) of printk statements and simultaneously cripple useful debugging functionality, it is far simpler to create an option that prevents unprivileged users from reading the syslog.
    
This patch, loosely based on grsecurity's GRKERNSEC_DMESG, creates the dmesg_restrict sysctl.  When set to "0", the default, no restrictions are enforced.  When set to "1", only users with CAP_SYS_ADMIN can read the kernel syslog via dmesg(8) or other mechanisms.

Upstream commit:
http://git.kernel.org/linus/eaf06b241b091357e72b76863ba16e89610d31bd
Comment 3 RHEL Program Management 2010-11-30 22:59:10 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Jarod Wilson 2010-12-07 19:16:50 UTC 
in kernel-2.6.18-236.el5
You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5

Detailed testing feedback is always welcomed.
Comment 9 Mike Gahagan 2010-12-08 19:36:33 UTC 
confirmed setting dmesg_restrict to 1 will block dmesg log viewing as a user while still allowing root to run dmesg. 

[m@localhost ~]$ dmesg
klogctl: Operation not permitted
[m@localhost ~]$ cat /proc/sys/kernel/dmesg_restrict 
1
[m@localhost ~]$ 
[m@localhost ~]$ cat /proc/sys/kernel/dmesg_restrict 
0
[m@localhost ~]$ dmesg | head -n 2
Linux version 2.6.18-236.el5 (mockbuild.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Mon Dec 6 18:41:54 EST 2010
Command line: ro root=/dev/VolGroup00/LogVol00 rhgb quiet
Comment 11 errata-xmlrpc 2011-01-13 22:00:55 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0017.html