Objective: Prevent unprivileged users from using dmesg to view messages from the kernel’s log buffer.
The kernel ring buffer is a data structure that records messages related to the operation of the Linux kernel. A ring buffer is constant in size, and the oldest messages are overwritten when new messages come in.
dmesg command output can be printed out using the dmesg command.
|
1 |
$ dmesg |
To read the dmesg contents in a human readable format, use the following command.
|
1 |
$ dmesg --human --color |
The kernel parameter kernel.dmesg_restrict can be used to restrict non-root or unprivileged users from using dmesg. When kernel.dmesg_restrict is set to 1, only root and users users who have CAP_SYSLOG capability can use dmesg.
To restrict the use of dmesg, run the following sysctl command.
|
1 |
$ sudo sysctl -w kernel.dmesg_restrict=1 |
You can also modify the kernel parameter by modifying the dmesg_restrict file in proc filesystem.
|
1 |
sudo sh -c 'echo 1 > /proc/sys/kernel/dmesg_restrict' |
The current value of the kernel parameter can be checked b running the following command.
|
1 |
$ sysctl kernel.dmesg_restrict |
Once the dmesg restriction is in place, unprivileged users will get the following error when running dmesg.
|
1 2 |
$ dmesg dmesg: read kernel buffer failed: Operation not permitted |
To allow a certain group of users to use dmesg, for example to only allow users from the wheel group to use dmesg, Linux capabilities could be used.
Run the following commands to create a dmesg.wheel binary that will have the CAP_SYSLOG capability.
|
1 2 3 4 |
# sudo cp /bin/dmesg /bin/dmesg.wheel # sudo chown root:wheel /bin/dmesg.wheel # sudo chmod 750 /bin/dmesg.wheel # sudo setcap cap_syslog=ep /bin/dmesg.wheel |
Now, users in the wheel group can run dmesg.wheel command to print dmesg contents.
Mohamed Ibrahim
ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react); plays_on(xbox, ps4); linux_desktop_user(true); }
