On Mon, Mar 04, 2024 at 11:37:49PM -0700, Chris Murphy wrote: > > > On Wed, Feb 28, 2024, at 6:45 AM, Peter Robinson wrote: > > On Wed, 28 Feb 2024 at 13:38, Barry Scott <[email protected]> wrote: > >> > >> > >> > >> On 28 Feb 2024, at 10:24, Karel Zak <[email protected]> wrote: > >> > >> You can restore the original behavior by using: > >> > >> # sysctl kernel.dmesg_restrict=0 > >> > >> However, be aware of the security consequences ;-) > >> > >> > >> Given I can get the same information from journalctl -k what is the > >> improvement? > > > > I believe you need to be in the wheel group to get that info from > > journalctl > > I'm in the wheel group as is everyone else by default installing Fedora. A > vast majority of Fedora users have this peculiar UX where `journalctl -k` not > not require `sudo` but `dmesg` does require it. I think that's annoying and > weird.
That is true. But please note that there's a huge list of processes that are not in the wheel group: e.g. any random service on the system that is running unprivileged. Previously, it would have access to dmesg, possibly making it easier to escalate some vulnerability to full root access. With this change, dmesg becomes unavailable so extracting information about the running kernel is harder. Zbyszek -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
