oss-sec mailing list archives
Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Wed, 26 Oct 2011 13:43:16 -0400
On Wed, Oct 26, 2011 at 11:16 AM, Petr Matousek <pmatouse () redhat com> wrote:
When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the kernel ring buffer. But a root user without CAP_SYS_ADMIN is able to reset dmesg_restrict to 0.
Minor correction: CAP_SYSLOG is needed to read the kernel ring buffer, with CAP_SYS_ADMIN being a fallback for legacy reasons. But it's correct that CAP_SYS_ADMIN is now required to modify the sysctl. I also agree with Vasiliy's point that LXC security boundaries in the mainline kernel are not well defined at this point, so the whole thing is a bit silly. -Dan
Current thread:
- CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Petr Matousek (Oct 26)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Kurt Seifried (Oct 26)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Vasiliy Kulikov (Oct 26)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Kurt Seifried (Oct 26)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Vasiliy Kulikov (Oct 26)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Petr Matousek (Oct 27)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Kurt Seifried (Oct 27)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Steven M. Christey (Oct 27)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Solar Designer (Nov 04)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Vasiliy Kulikov (Oct 26)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Kurt Seifried (Oct 26)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Petr Matousek (Oct 27)
- Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict Dan Rosenberg (Oct 27)