kernel ring buffer accessible by users

kernel ring buffer accessible by users

[Julien Oster]

Hello,

it's been quite a while that I noticed that any ordinary user, not
just root, can type "dmesg" to see the kernel ring buffer.

My question now is: Why? I often saw things in the kernel ring buffer
which I don't want every user to know (e.g. some telephone numbers with
ISDN).

Are there any problems in just letting root get the contents of the
kernel ring buffer?

Julien

Re: kernel ring buffer accessible by users

[Michael Buesch]

On Tuesday 22 April 2003 18:21, Julien Oster wrote:
> it's been quite a while that I noticed that any ordinary user, not
> just root, can type "dmesg" to see the kernel ring buffer.

just make
$ chmod 700 /bin/dmesg

-- 
Regards Michael Buesch.
http://www.8ung.at/tuxsoft

$ cat /dev/zero > /dev/null
/dev/null: That's *not* funny! :(

Re: kernel ring buffer accessible by users

[Grzegorz Jaskiewicz]

On Tue, 2003-04-22 at 17:44, Michael Buesch wrote:
> On Tuesday 22 April 2003 18:21, Julien Oster wrote:
> > it's been quite a while that I noticed that any ordinary user, not
> > just root, can type "dmesg" to see the kernel ring buffer.
> 
> just make
> $ chmod 700 /bin/dmesg
and chmod 0600 /var/log/dmesg , as on some systems it is rw-r--r--

-- 
Grzegorz Jaskiewicz <gj@pointblue.com.pl>
K4 labs

Re: kernel ring buffer accessible by users

[Jörn Engel]

On Tue, 22 April 2003 18:44:05 +0200, Michael Buesch wrote:
> 
> On Tuesday 22 April 2003 18:21, Julien Oster wrote:
> > it's been quite a while that I noticed that any ordinary user, not
> > just root, can type "dmesg" to see the kernel ring buffer.
> 
> just make
> $ chmod 700 /bin/dmesg

scp /bin/dmesg remote:
ssh remote ./dmesg

Jörn

-- 
Good warriors cause others to come to them and do not go to others.
-- Sun Tzu

Re: kernel ring buffer accessible by users

[Julien Oster]

On Tue, Apr 22, 2003 at 06:44:05PM +0200, Michael Buesch wrote:

Hello Michael,

> > it's been quite a while that I noticed that any ordinary user, not
> > just root, can type "dmesg" to see the kernel ring buffer.

> just make
> $ chmod 700 /bin/dmesg

Thanks for the answer, but that doesn't help that much, since any user
could copy dmesg from his system or simply code a dmesg replacement
within a few minutes.

Regards,
Julien

Re: kernel ring buffer accessible by users

[Robert Love]

On Tue, 2003-04-22 at 12:21, Julien Oster wrote:

> My question now is: Why? I often saw things in the kernel ring buffer
> which I don't want every user to know (e.g. some telephone numbers with
> ISDN).

I think the problem is that kernel messages should not contain private
information, like ISDN phone numbers.  Why is that even in the kernel?

Are you sure its not in /var/log/messages?  The system log contains more
than just dmesg output.  If it is just syslog stuff, just set
/var/log/messages to 0600.

If it is actually coming from the kernel, I would fix the code that is
printed such private information.

	Robert Love

Re: kernel ring buffer accessible by users

[Richard B. Johnson]

On Tue, 22 Apr 2003, Julien Oster wrote:

> On Tue, Apr 22, 2003 at 06:44:05PM +0200, Michael Buesch wrote:
>
> Hello Michael,
>
> > > it's been quite a while that I noticed that any ordinary user, not
> > > just root, can type "dmesg" to see the kernel ring buffer.
>
> > just make
> > $ chmod 700 /bin/dmesg
>
> Thanks for the answer, but that doesn't help that much, since any user
> could copy dmesg from his system or simply code a dmesg replacement
> within a few minutes.
>
> Regards,
> Julien
> -

dmesg gets it's data from syslog(0x03, char *buf, size_t buf_len)
where 0x03 says 'read' up to 4k.

The kernel interface is documented to return -EPERM if the effective
user isn't root. I have just tried `dmesg` from several machines
with various versions of Linux and they all allow a user to read.

The usual "tie-breaker" I use for configuration problems is
my Sun. It runs SunOs 5.5.1 and it allows an ordinary user
to execute `dmesg` and read kernel messages.


Script started on Tue Apr 22 13:49:44 2003
$ rlogin -l johnson hal
Password:
Last login: Wed Nov  6 09:29:53 from chaos
hal:/export/home/johnson[1] who am i
johnson    pts/0        Apr 22 13:42	(chaos)
hal:/export/home/johnson[2] dmesg

Apr 22 13:42
SunOS Release 5.5.1 Version Generic [UNIX(R) System V Release 4.0]
Copyright (c) 1983-1996, Sun Microsystems, Inc.
vac: enabled in writeback mode
cpu0: FMI,MB86907 (mid 0 impl 0x0 ver 0x5 clock 170 MHz)
mem = 32768K (0x2000000)
avail mem = 28446720
Ethernet address = 8:0:20:8e:b:0
root nexus = SUNW,SPARCstation-5
iommu0 at root: obio 0x10000000
sbus0 at iommu0: obio 0x10001000
espdma0 at sbus0: SBus slot 5 0x8400000
esp0 at espdma0: SBus slot 5 0x8800000 sparc ipl 4
sd0 at esp0: target 0 lun 0
sd0 is /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000/sd@0,0
	<SEAGATE-ST32155N-0532 cyl 4162 alt 2 hd 8 sec 126>
sd2 at esp0: target 2 lun 0
sd2 is /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000/sd@2,0
	Vendor 'PIONEER', product 'DE-C7001', (unknown capacity)
sd3 at esp0: target 3 lun 0
sd3 is /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000/sd@3,0
	<SUN2.1G cyl 2733 alt 2 hd 19 sec 80>
root on /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000/sd@3,0:a fstype ufs
obio0 at root
zs0 at obio0: obio 0x100000 sparc ipl 12
zs0 is /obio/zs@0,100000
zs1 at obio0: obio 0x0 sparc ipl 12
zs1 is /obio/zs@0,0
cgsix0 at sbus0: SBus slot 3 0x0 SBus level 5 sparc ipl 9
cgsix0 is /iommu@0,10000000/sbus@0,10001000/cgsix@3,0
cgsix0: screen 1152x900, single buffered, 1M mappable, rev 11
cpu 0 initialization complete - online
ledma0 at sbus0: SBus slot 5 0x8400010
le0 at ledma0: SBus slot 5 0x8c00000 sparc ipl 6
le0 is /iommu@0,10000000/sbus@0,10001000/ledma@5,8400010/le@5,8c00000
dump on /dev/dsk/c0t3d0s1 size 66108K
pcmcia: no PCMCIA adapters found
hal:/export/home/johnson[3] exit
logout
rlogin: connection closed.
# exit
exit
Script done on Tue Apr 22 13:50:18 2003


It doesn't look like there's anything that an ordinary user
shouldn't see. If somebody has written code that sends
proprietary information out this "hole", that code should
be fixed, not this.


Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.

Re: kernel ring buffer accessible by users

[Jason Cook]

[-- Attachment #1: Type: text/plain, Size: 807 bytes --]

* Julien Oster (frodo@dereference.de) wrote:
> 
> Hello,
> 
> it's been quite a while that I noticed that any ordinary user, not
> just root, can type "dmesg" to see the kernel ring buffer.
> 
> My question now is: Why? I often saw things in the kernel ring buffer
> which I don't want every user to know (e.g. some telephone numbers with
> ISDN).
> 
> Are there any problems in just letting root get the contents of the
> kernel ring buffer?
> 
> Julien
> -

grsec has an option to do this:

http://www.grsecurity.net/

-- 
Jason Cook                 |  GnuPG Fingerprint: D531 F4F4 BDBF 41D1 514D
GNU/Linux Engineering Lead |                     F930 FD03 262E 5120 BEDD
evolServ Technology        |  Home page: http://reinit.org

cthread.  cthread_fork().  Fork, thread, fork!

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: kernel ring buffer accessible by users

[Olaf Hering]

 On Tue, Apr 22, Julien Oster wrote:

> My question now is: Why? I often saw things in the kernel ring buffer
> which I don't want every user to know (e.g. some telephone numbers with
> ISDN).

This is a bug in the kernel ISDN code. The userspace daemon must log it
to syslog, these messages do not belong to the dmesg buffer.

-- 
USB is for mice, FireWire is for men!

Re: kernel ring buffer accessible by users

[Werner Almesberger]

Robert Love wrote:
> I think the problem is that kernel messages should not contain private
> information, like ISDN phone numbers.  Why is that even in the kernel?

How do you know what is sensitive information ? A kernel debug
message may just say something like "bad message 47 65 68 65 69 6d",
and the kernel has no idea that this is actually a password
("Geheim").

- Werner

-- 
  _________________________________________________________________________
 / Werner Almesberger, Buenos Aires, Argentina         wa@almesberger.net /
/_http://www.almesberger.net/____________________________________________/

Re: kernel ring buffer accessible by users

[Robert Love]

On Wed, 2003-04-23 at 11:56, Werner Almesberger wrote:

> How do you know what is sensitive information ? A kernel debug
> message may just say something like "bad message 47 65 68 65 69 6d",
> and the kernel has no idea that this is actually a password

Why on earth would the user give the kernel a password?

The point is user input like telephone numbers or passwords should never
be fed into the kernel anyhow.  On the rare case it is (apparently this
ISDN instance, assuming it is actually from dmesg and not syslog), the
kernel should not echo it.

	Robert Love

Re: kernel ring buffer accessible by users

[Julien Oster]

On Wed, Apr 23, 2003 at 12:56:03PM -0300, Werner Almesberger wrote:

Hello Werner,

> > I think the problem is that kernel messages should not contain private
> > information, like ISDN phone numbers.  Why is that even in the kernel?

> How do you know what is sensitive information ? A kernel debug
> message may just say something like "bad message 47 65 68 65 69 6d",
> and the kernel has no idea that this is actually a password
> ("Geheim").

Exactly what I mean, thanks for pointing this out!

I'm afraid I can't remember a specific example, but I remember that
there actually happened something like that and those were things where
the kernel simply couldn't know that the info it gave was "secret".

Of course one could say "then let's just stop writing out anything in
the kernel buffer that COULD be sensitive", but I think this would
actually castrate the meaning of such a buffer.

Why exactly should an ordinary user have access to the kernel ring
buffer? I can't imagine anything that could be of any interest for him
or her. And there's stillt he possibility to tweak the permissions for
dmesg so that only a certain group (staff, operator, adm...) can execute
it, but then setuid root. That way, operators being non-root are also
happy.

Just because Solaris allows access, Linux doesn't have to, or has it?
And I think that in all those years the kernel output from Linux has
been growing immensly compared to that of Solaris.

Regards,
Julien

Re: kernel ring buffer accessible by users

[Werner Almesberger]

Robert Love wrote:
> Why on earth would the user give the kernel a password?

That's just an example. It could be any other sensitive information,
including kernel state that you don't want to reveal to users.

I think it's a reasonable assumption that one can speak freely in a
printk message. Avoiding to print anything that may possibly contain
sensitive information is likely to make messages less useful, just
think of all the data revealed in an oops.

> The point is user input like telephone numbers or passwords should never
> be fed into the kernel anyhow.

Yes, a bit odd. Maybe because of "intelligent" cards that implement
the signalling in firmware. Anyway, this is an entirely different
issue.
 
- Werner

-- 
  _________________________________________________________________________
 / Werner Almesberger, Buenos Aires, Argentina         wa@almesberger.net /
/_http://www.almesberger.net/____________________________________________/

Re: kernel ring buffer accessible by users

[Werner Almesberger]

Julien Oster wrote:
> Of course one could say "then let's just stop writing out anything in
> the kernel buffer that COULD be sensitive", but I think this would
> actually castrate the meaning of such a buffer.

It's also bad security design to try to plug hundreds of potential
leaks, instead of the one common channel they share.

> And there's stillt he possibility to tweak the permissions for
> dmesg so that only a certain group (staff, operator, adm...) can execute
> it, but then setuid root.

Yes, but you'll get quite a few objections to adding yet another
suid root program :-)

- Werner

-- 
  _________________________________________________________________________
 / Werner Almesberger, Buenos Aires, Argentina         wa@almesberger.net /
/_http://www.almesberger.net/____________________________________________/

Re: kernel ring buffer accessible by users

[Frank v Waveren]

On Wed, Apr 23, 2003 at 01:45:30PM -0300, Werner Almesberger wrote:
> Yes, but you'll get quite a few objections to adding yet another
> suid root program :-)

Why not make it mode 440, and have a mount option for the proc
filesystem that gives which gid certain sensitive files should have.
The openwall security patch does this (with a few further restrictions
to the permissions of certain /proc files) and I like it a lot.

-- 
Frank v Waveren                                      Fingerprint: 21A7 C7F3
fvw@[var.cx|stack.nl|chello.nl] ICQ#10074100            1FF3 47FF 545C CB53
Public key: hkp://wwwkeys.pgp.net/fvw@var.cx            7BD9 09C0 3AC1 6DF2

Re: kernel ring buffer accessible by users

[David Wagner]

Werner Almesberger  wrote:
>Robert Love wrote:
>> Why on earth would the user give the kernel a password?
>
>That's just an example. It could be any other sensitive information,
>including kernel state that you don't want to reveal to users.
>
>I think it's a reasonable assumption that one can speak freely in a
>printk message.

Robert Love's position seems reasonable to me.  Can you show an example
where it is useful and appropriate to print secrets out using printk()?
It strikes me as risky and unnecessary, but maybe I'm missing something.

Re: kernel ring buffer accessible by users

[David Wagner]

Julien Oster wrote:
>Of course one could say "then let's just stop writing out anything in
>the kernel buffer that COULD be sensitive", but I think this would
>actually castrate the meaning of such a buffer.

Would it?  I can't think of anything that currently should be printed
to the ring buffer and is known to be secret.

Re: kernel ring buffer accessible by users

[Stephan von Krawczynski]

On 24 Apr 2003 00:31:22 GMT
daw@mozart.cs.berkeley.edu (David Wagner) wrote:

> Julien Oster wrote:
> >Of course one could say "then let's just stop writing out anything in
> >the kernel buffer that COULD be sensitive", but I think this would
> >actually castrate the meaning of such a buffer.
> 
> Would it?  I can't think of anything that currently should be printed
> to the ring buffer and is known to be secret.

The simple truth is: you cannot really qualify what a "secret" is or is not. It
depends on the _reader_(s' interest), not the _writer_ (s' intention). 

Regards,
Stephan

Re: kernel ring buffer accessible by users

[Grzegorz Jaskiewicz]

On Wed, 2003-04-23 at 16:59, Robert Love wrote:
> On Wed, 2003-04-23 at 11:56, Werner Almesberger wrote:
> 
> > How do you know what is sensitive information ? A kernel debug
> > message may just say something like "bad message 47 65 68 65 69 6d",
> > and the kernel has no idea that this is actually a password
> 
> Why on earth would the user give the kernel a password?
> 
> The point is user input like telephone numbers or passwords should never
> be fed into the kernel anyhow.  On the rare case it is (apparently this
> ISDN instance, assuming it is actually from dmesg and not syslog), the
> kernel should not echo it.
Some will probably agree that this kind of information should be
optionaly ( option in kernel configuration ) restricted for non root
users. The same problem apply to /proc restrictions, that are available
with grsec only, but many will also agree that this should be option in
kernel. 
One of the security rules says that we should not give away information
that is not required for others. Fe. nobody should know (except
root/administrators) who is loged on or even what programs i am running.
This way i am able sometimes to see sensitive information that is passed
in command line (fe with wget).
   
-- 
Grzegorz Jaskiewicz <gj@pointblue.com.pl>
K4 Labs