| 2021-01-18 00:33:34 |
Matthew Ruffell |
bug |
|
|
added bug |
| 2021-01-18 00:33:44 |
Matthew Ruffell |
nominated for series |
|
Ubuntu Groovy |
|
| 2021-01-18 00:33:44 |
Matthew Ruffell |
bug task added |
|
rsyslog (Ubuntu Groovy) |
|
| 2021-01-18 00:33:44 |
Matthew Ruffell |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-01-18 00:33:44 |
Matthew Ruffell |
bug task added |
|
rsyslog (Ubuntu Hirsute) |
|
| 2021-01-18 00:39:03 |
Matthew Ruffell |
rsyslog (Ubuntu Hirsute): status |
New |
In Progress |
|
| 2021-01-18 00:39:05 |
Matthew Ruffell |
rsyslog (Ubuntu Hirsute): importance |
Undecided |
Medium |
|
| 2021-01-18 00:39:08 |
Matthew Ruffell |
rsyslog (Ubuntu Hirsute): assignee |
|
Matthew Ruffell (mruffell) |
|
| 2021-01-18 00:43:06 |
Matthew Ruffell |
description |
[Impact]
In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users.
It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640:
$ ll /var/log
-rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg
-rw-r----- 1 syslog adm 24538 Jan 18 13:05 kern.log
-rw-r----- 1 syslog adm 213911 Jan 18 13:22 syslog
Change /var/log/dmesg to 0640 to close the information leak.
[Testcase]
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
[ 0.000000] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18)
[ 0.000000] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---
If you install the package in the following ppa:
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
cat: /var/log/dmesg: Permission denied
[Where problems could occur]
Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. |
[Impact]
In bug 1886112, CONFIG_SECURITY_DMESG_RESTRICT was enabled on the Ubuntu kernel starting with Groovy and onward, in an effort to restrict access to the kernel log buffer from unprivileged users.
It seems we have overlooked /var/log/dmesg, as it is still mode 0644, while /var/log/kern.log, /var/log/syslog are all 0640:
$ ll /var/log
-rw-r--r-- 1 root adm 81768 Jan 18 09:09 dmesg
-rw-r----- 1 syslog adm 24538 Jan 18 13:05 kern.log
-rw-r----- 1 syslog adm 213911 Jan 18 13:22 syslog
Change /var/log/dmesg to 0640 to close the information leak.
[Testcase]
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
[ 0.000000] kernel: Linux version 5.8.0-36-generic (buildd@lgw01-amd64-011) (gcc (Ubuntu 10.2.1-2ubuntu3) 10.2.1 20201221, GNU ld (GNU Binutils for Ubuntu) 2.35.50.20210106) #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 (Ubuntu 5.8.0-36.40+21.04.1-generic 5.8.18)
[ 0.000000] kernel: Command line: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---
If you install the package in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/lp1912122-test
$ sudo systemctl daemon-reload
$ sudo systemctl start dmesg.service
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ cat /var/log/dmesg
cat: /var/log/dmesg: Permission denied
[Where problems could occur]
Some users or log scraper programs might need to view the kernel log buffers, and in this case, their underlying service accounts should be added to the 'adm' group. |
|
| 2021-01-18 00:43:31 |
Matthew Ruffell |
rsyslog (Ubuntu Groovy): status |
New |
In Progress |
|
| 2021-01-18 00:43:47 |
Matthew Ruffell |
rsyslog (Ubuntu Groovy): importance |
Undecided |
Medium |
|
| 2021-01-18 00:43:50 |
Matthew Ruffell |
rsyslog (Ubuntu Groovy): assignee |
|
Matthew Ruffell (mruffell) |
|
| 2021-01-18 00:52:53 |
Matthew Ruffell |
tags |
|
sts |
|
| 2021-01-18 03:19:58 |
Matthew Ruffell |
attachment added |
|
Debdiff for rsyslog on hirsute https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454004/+files/lp1912122_hirsute.debdiff |
|
| 2021-01-18 03:20:55 |
Matthew Ruffell |
attachment added |
|
Debdiff for syslog on groovy https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454005/+files/lp1912122_groovy.debdiff |
|
| 2021-01-18 03:32:56 |
Matthew Ruffell |
tags |
sts |
sts sts-sponsor |
|
| 2021-01-18 04:25:28 |
Ubuntu Foundations Team Bug Bot |
tags |
sts sts-sponsor |
patch sts sts-sponsor |
|
| 2021-01-18 04:25:37 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2021-01-19 00:30:55 |
Matthew Ruffell |
attachment removed |
Debdiff for rsyslog on hirsute https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454004/+files/lp1912122_hirsute.debdiff |
|
|
| 2021-01-19 00:31:03 |
Matthew Ruffell |
attachment removed |
Debdiff for syslog on groovy https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454005/+files/lp1912122_groovy.debdiff |
|
|
| 2021-01-19 00:32:12 |
Matthew Ruffell |
attachment added |
|
Debdiff for rsyslog on hirsute https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454310/+files/lp1912122_hirsute_v2.debdiff |
|
| 2021-01-19 00:32:44 |
Matthew Ruffell |
attachment added |
|
Debdiff for syslog on groovy https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+attachment/5454311/+files/lp1912122_groovy_v2.debdiff |
|
| 2021-01-20 21:49:46 |
Matthew Ruffell |
rsyslog (Ubuntu Groovy): status |
In Progress |
Won't Fix |
|
| 2021-01-20 22:33:11 |
Launchpad Janitor |
rsyslog (Ubuntu Hirsute): status |
In Progress |
Fix Released |
|
| 2021-01-28 13:19:20 |
Mauricio Faria de Oliveira |
bug |
|
|
added subscriber Mauricio Faria de Oliveira |
