Setting CONFIG_SECURITY_DMESG_RESTRICT=y by default would avoid kernel memory address exposures via dmesg [1][2]. It means also that unprivileged users can't use dmesg anymore without su or sudo. If users want to configure their system to keep the current behavior, they can use sysctl. For example: # echo 'kernel.dmesg_restrict = 0' > /etc/sysctl.d/90-security.conf [1] https://kspp.github.io/Recommended_Settings [2] https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#dmesg-restrict
There's also a good forum post about the matter in Clear Linux forums: https://community.clearlinux.org/t/change-to-using-dmesg-enabling-config-security-dmesg-restrict/739/1
This seems a good idea. I always thought it advisable for journalctl also. It probably warrants an update message informing users of the change. Assigning to kernel.
Assignee: bugsquad => kernelCC: (none) => ghibomgx
This has been enabled in 6.6.62-1.mga10. Now you get: dmesg: read kernel buffer failed: Operation not permitted Maybe we should just remind in mga10's Release_Notes wiki the above suggestion about kernel.dmesg_restrict=0.
We should probably also advice that users in groups 'adm', 'systemd-journal', and 'wheel' can use 'journalctl -k' to show kernel messages. According to Arch Linux forum [1] 'journalctl -ko short-monotonic --no-hostname' is quite close to 'dmesg' output. [1] https://bbs.archlinux.org/viewtopic.php?pid=1947018#p1947018
Keywords: (none) => FOR_RELEASENOTES10CC: (none) => fri
*** Bug 33987 has been marked as a duplicate of this bug. ***
CC: (none) => b116d