You are not logged in.

#1 2020-12-31 19:41:45

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

kernel config protects dmesg ... which group membership allows access

Seems that we enabled SECURITY_DMESG_RESTRICT with the release of 5.10.4.  I tried added a regular user to the adm group (logout/login) but am still getting the dmesg: read kernel buffer failed: Operation not permitted.  Response to calling dmesg.  What am I missing?

$ id
uid=1001(smack) gid=100(users) groups=100(users),4(adm)

$ dmesg
dmesg: read kernel buffer failed: Operation not permitted

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#2 2020-12-31 20:23:33

loqs
Member
Registered: 2014-03-06
Posts: 17,193

Re: kernel config protects dmesg ... which group membership allows access

I believe user needs the CAP_SYSLOG capability for dmesg with SECURITY_DMESG_RESTRICT.  If you want to access dmesg as none root user you can access it through the journal filter for kernel messages for the current boot.
Edit:
You can also set kernel.dmesg_restrict=0 to allow any user to access dmesg as before.
https://www.kernel.org/doc/Documentatio … kernel.txt

Also fixed capability is CAP_SYSLOG not CAP_SYS_ADMIN.
Edit2:

You could limit it to a group with:

chown root:adm /usr/bin/dmesg
chmod 750 /usr/bin/dmesg
setcap cap_syslog=ep /usr/bin/dmesg

Last edited by loqs (2020-12-31 20:53:32)

Offline

#3 2021-01-01 12:13:14

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: kernel config protects dmesg ... which group membership allows access

@loqs - Thanks for the suggestions.  Particularly edit 2.  https://bugs.archlinux.org/task/69168

EDIT:

If others are wanting this functionality, a simple pacman hook can do it. Drop the following in /etc/pacman.d/hooks/10-dmesg-fix.hook

[Trigger]
Operation = Upgrade
Type = Package
Target = util-linux

[Action]
Description = Fixing dmesg permissions...
When = PostTransaction
Exec = /bin/sh -c '/usr/bin/chown root:wheel /usr/bin/dmesg ; /usr/bin/chmod 750 /usr/bin/dmesg ; /usr/bin/setcap cap_syslog=ep /usr/bin/dmesg'

Last edited by graysky (2021-06-05 11:32:41)


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#4 2021-01-01 12:37:45

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 592

Re: kernel config protects dmesg ... which group membership allows access

As loqs mentioned, using journalctl -k could the simpler approach. Then, as long as you're in the adm, wheel or systemd-journal group, you'll have access to the journal.

Offline

#5 2021-01-01 13:53:35

loqs
Member
Registered: 2014-03-06
Posts: 17,193

Re: kernel config protects dmesg ... which group membership allows access

This is fairly close to dmesg format:

journalctl -ko short-monotonic --no-hostname

Last edited by loqs (2021-01-01 14:03:32)

Offline

Board footer

Powered by FluxBB