Bug#867747: rsyslog: /var/log/dmesg world-readable despite kernel.dmesg_restrict = 1

[Dmitry Bogatov]

[2019-02-07 17:08] Thorsten Glaser <t.gla...@tarent.de>
>
> part       text/plain                 869
> On Thu, 7 Feb 2019, Dmitry Bogatov wrote:
>
> > Hence, I refine my proposal -- create /var/log/dmesg as 640 in
> > initscripts, *only* if it does not already exists. Ignore
> > kernel.dmesg_restrict.
>
> +1

Here is patch, that solves issue at hand. Ideally, same logic should be
applied to fsck logs.

From 46c237df7999dc550289709f4955e787ddabaa55 Mon Sep 17 00:00:00 2001
From: Dmitry Bogatov <kact...@debian.org>
Date: Mon, 11 Feb 2019 03:32:09 +0000
Subject: [PATCH] Ensure predictable permission on /var/log/dmesg (Closes:
 #867747)

  * debian/initscripts.postinst: do not create `/var/log/dmesg' during
    package installation.

  * debian/src/initscripts/etc/init.d/bootlogs: create `/var/log/dmesg'
    with predicatable permissions, if not already present.

With this change, if /var/log/dmesg was removed for whatever reason,
it will be recreated with predictable permissions and ownership, instead of
recreated as root:root and permissions, depending on umask of
`/etc/init.d/bootlogs' script.
---
 debian/initscripts.postinst                |  2 +-
 debian/src/initscripts/etc/init.d/bootlogs | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/debian/initscripts.postinst b/debian/initscripts.postinst
index 2293045d..c6ac94d4 100755
--- a/debian/initscripts.postinst
+++ b/debian/initscripts.postinst
@@ -132,7 +132,7 @@ fi
 # Create initial log files
 #
 [ "$PREV_VER" ] || chmod 755 /var/log/fsck || :
-for F in /var/log/dmesg /var/log/fsck/checkroot /var/log/fsck/checkfs
+for F in /var/log/fsck/checkroot /var/log/fsck/checkfs
 do
        if [ ! -f "$F" ] && touch "$F" >/dev/null 2>&1
        then
diff --git a/debian/src/initscripts/etc/init.d/bootlogs 
b/debian/src/initscripts/etc/init.d/bootlogs
index 3ad7d8b5..686a2afb 100644
--- a/debian/src/initscripts/etc/init.d/bootlogs
+++ b/debian/src/initscripts/etc/init.d/bootlogs
@@ -16,19 +16,28 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin
 . /lib/init/vars.sh
 
 do_start () {
+       # If /var/log/dmesg exists, rotate it, otherwise touch it with
+       # reasonable default permsissions and ownership.
+       #
+       # savelog(8) preserves ownership and permissions, that were set by
+       # local system administrator.
+       if test -f /var/log/dmesg ; then
+               savelog -q -p -c 5 /var/log/dmesg
+       else
+               touch /var/log/dmesg
+               chown root:adm /var/log/dmesg
+               chmod 640 /var/log/dmesg
+       fi
+
        # Save kernel messages in /var/log/dmesg
        if which dmesg >/dev/null 2>&1
        then
-               [ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
                dmesg -s 524288 > /var/log/dmesg
-               chgrp adm /var/log/dmesg || :
        elif [ -c /dev/klog ]
        then
-               [ -f /var/log/dmesg ] && savelog -q -p -c 5 /var/log/dmesg
                dd if=/dev/klog of=/var/log/dmesg &
                sleep 1
                kill $!
-               [ -f /var/log/dmesg ] && { chgrp adm /var/log/dmesg || : ; }
        fi
 }
-- 
        Note, that I send and fetch email in batch, once every 24 hours.
                 If matter is urgent, try https://t.me/kaction
                                                                             --