Bug 653250 - kernel: restrict unprivileged access to kernel syslog [rhel-5.6]
Summary: kernel: restrict unprivileged access to kernel syslog [rhel-5.6]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Frantisek Hrbata
QA Contact: Mike Gahagan
URL:
Whiteboard:
Depends On: 653245 653252 653254
Blocks: 658886
TreeView+ depends on / blocked
 
Reported: 2010-11-15 04:19 UTC by Eugene Teo (Security Response)
Modified: 2013-01-11 03:32 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 653245
Environment:
Last Closed: 2011-01-13 22:00:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0017 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.6 kernel security and bug fix update 2011-01-13 10:37:42 UTC

Description Eugene Teo (Security Response) 2010-11-15 04:19:42 UTC 
+++ This bug was initially created as a clone of Bug #653245 +++

Description of problem:
The kernel syslog contains debugging information that is often useful during exploitation of other vulnerabilities, such as kernel heap addresses.  Rather than futilely attempt to sanitize hundreds (or thousands) of printk statements and simultaneously cripple useful debugging functionality, it is far simpler to create an option that prevents unprivileged users from reading the syslog.
    
This patch, loosely based on grsecurity's GRKERNSEC_DMESG, creates the dmesg_restrict sysctl.  When set to "0", the default, no restrictions are enforced.  When set to "1", only users with CAP_SYS_ADMIN can read the kernel syslog via dmesg(8) or other mechanisms.

Upstream commit:
http://git.kernel.org/linus/eaf06b241b091357e72b76863ba16e89610d31bd
Comment 3 RHEL Program Management 2010-11-30 22:59:10 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Jarod Wilson 2010-12-07 19:16:50 UTC 
in kernel-2.6.18-236.el5
You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5

Detailed testing feedback is always welcomed.
Comment 9 Mike Gahagan 2010-12-08 19:36:33 UTC 
confirmed setting dmesg_restrict to 1 will block dmesg log viewing as a user while still allowing root to run dmesg. 

[m@localhost ~]$ dmesg
klogctl: Operation not permitted
[m@localhost ~]$ cat /proc/sys/kernel/dmesg_restrict 
1
[m@localhost ~]$ 
[m@localhost ~]$ cat /proc/sys/kernel/dmesg_restrict 
0
[m@localhost ~]$ dmesg | head -n 2
Linux version 2.6.18-236.el5 (mockbuild.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Mon Dec 6 18:41:54 EST 2010
Command line: ro root=/dev/VolGroup00/LogVol00 rhgb quiet
Comment 11 errata-xmlrpc 2011-01-13 22:00:55 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0017.html
Note You need to log in before you can comment on or make changes to this bug.