9
如何禁止普通用户查看dmesg信息
source link: https://www.lujun9972.win/blog/2018/08/03/%E5%A6%82%E4%BD%95%E7%A6%81%E6%AD%A2%E6%99%AE%E9%80%9A%E7%94%A8%E6%88%B7%E6%9F%A5%E7%9C%8Bdmesg%E4%BF%A1%E6%81%AF/index.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
如何禁止普通用户查看dmesg信息
dmesg能够输出kernel ring buffer中的内容,这些内容中可能会包含一些敏感信息。
根据 kernel docs 中的说明:
This toggle indicates whether unprivileged users are prevented from using dmesg(8) to view messages from the kernel’s log buffer. When dmesg_restrict is set to (0) there are no restrictions. When dmesg_restrict is set set to (1), users must have CAP_SYSLOG to use dmesg(8). The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default value of dmesg_restrict.
我们可以通过设置内核参数 dmesg_restrict 为 1 的方式来禁止普通用户查看demsg信息
sudo sysctl -w kernel.dmesg_restrict=1
我们来看一下现在 dmesg_restrict 的值是什么
sysctl kernel.dmesg_restrict
kernel.dmesg_restrict = 1
现在再来用普通用户执行demsg:
[lujun9972@T520 wikit.docker]$ dmesg dmesg: 读取内核缓冲区失败: 不允许的操作
会发现提示无法读取内核缓冲区
要让该设置永久生效,则需要修改 /etc/sysctl.conf 文件
sudo echo 'kernel.dmesg_restrict=1' >> /etc/sysctl.conf
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK