Re: [PATCH] Restrict unprivileged access to kernel syslog

From: Pavel Machek
Date: Wed Nov 17 2010 - 05:03:46 EST

Next message: Magnus Damm: "Re: [PATCH 01/05] fbdev: sh_mipi_dsi: Remove request/release mem region"
Previous message: Tejun Heo: "Re: [PATCH] libata: remove unlock+relock cycle in ata_scsi_queuecmd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue 2010-11-09 12:06:49, Alan Cox wrote:
> On Mon, 08 Nov 2010 22:28:58 -0500
> Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> wrote:
>
> > The kernel syslog contains debugging information that is often useful
> > during exploitation of other vulnerabilities, such as kernel heap
> > addresses. Rather than futilely attempt to sanitize hundreds (or
> > thousands) of printk statements and simultaneously cripple useful
> > debugging functionality, it is far simpler to create an option that
> > prevents unprivileged users from reading the syslog.
>
> Except for anything that appears on the screen - which is remotely
> readable via the screen access APIs. Looks sane to me (pointless but
> sane) and the checks match the ones needed to redirect the console so you
> need CAP_SYS_ADMIN either way.

/dev/vcsa is only protected by filesystem permissions IIRC.

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Magnus Damm: "Re: [PATCH 01/05] fbdev: sh_mipi_dsi: Remove request/release mem region"
Previous message: Tejun Heo: "Re: [PATCH] libata: remove unlock+relock cycle in ata_scsi_queuecmd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]