users may see firewall logs [solved]

[mrmagoo]

Hi!

 

Is there a way to make firewall logs unreadable by users?

 

In general: is there a way to restrict dmesg(8) output to only the superuser?

 

One way would be a daemon that runs "dmesg -c" every second, but this can't be the better way...

 

Is there a device file I can chmod(1) to accomplish this?

 

[aioshin]

#chmod o-x /bin/dmesg

that will remove the x or execute capabitlity of other users, and only root and root group can run it

[mrmagoo]

#chmod o-x /bin/dmesg

that will remove the x or execute capabitlity of other users, and only root and root group can  run it

<{POST_SNAPBACK}>

 

Well, it's not a solution either, because it's trivial to download the rpm or compile a C program that calls klogctl(2)

 

Moreover, I could just copy it to /tmp and execute it (since you didn't turn off the read bits)...

 

The situation is worse, and the klogctl manpage is misleading... It says:

       Quoting from kernel/printk.c:
      /*
       * Commands to sys_syslog:
       *
       *      0 -- Close the log.  Currently a NOP.
       *      1 -- Open the log. Currently a NOP.
       *      2 -- Read from the log.
       *      3 -- Read up to the last 4k of messages in the ring buffer.
       .....
      Only  function  3  is  allowed  to non-root processes.

 

and my kernel source says:

 *      3 -- Read all messages remaining in the ring buffer.

 

So, the solution would be recompiling the kernel (overkill), a daemon that calls dmesg repeatedly (ugly), or using ULOG (which I think adds a little overhead)

 

I prefer #2, is there some other way ?

[mrmagoo]

Well, I finally found a way...

 

I just patched klogd(8) to clear the kernel ring buffer everytime when there are no bytes unread...

 

Here's the diff for sysklogd-1.4.1-6mdk

 

305,306d304
< static int    clear_kernbuf = 0;
<
1002c1000
<       while ((ch = getopt(argc, argv, "Cc:df:iIk:nopsvx2")) != EOF)
---
>       while ((ch = getopt(argc, argv, "c:df:iIk:nopsvx2")) != EOF)
1008,1010d1005
<                   case 'C':           /* Clear kernel ring buffer */
<                       clear_kernbuf = 1;
<                       break;
1197,1208d1191
<               if (clear_kernbuf) {
<                       int x;
<                       /* 9 -- Return number of unread characters */
<                       if ((x = ksyslog(9, NULL, 0)) == 0) {
<                               /* 5 -- Clear ring buffer. */
<                               x = ksyslog(5, NULL, 0);
<                               if (debugging && (x < 0))
<                                       perror("klogctl(5, NULL, 0");
<                       }
<                       else if (debugging && (x < 0))
<                               perror("klogctl(9, NULL, 0)");
<               }

 

Added a brand new option -C which should be in /etc/sysconfig/syslog too

[Qchem]

It may be worth passing the patch upstream, to see if anyone would find it useful.

[mrmagoo]

Neither msyslog, nor syslog-ng, nor metalog clears the kernel log buffer, and it would be worth to patch them too since they appear to be more security-driven. It would be even more interesting if Mandrake support these packages. Only syslog-ng is in contrib.

 

Anyway, the patch for sysklogd-1.4.1-6mdk (shipped with Mandrake 10.1) is this:

diff -u -p klogd.c klogd.c.orig

--- klogd.c     2005-06-03 23:59:27.000000000 -0400
+++ klogd.c.orig        2005-06-03 23:11:59.000000000 -0400
@@ -302,8 +302,6 @@ static int  use_syscall = 0,
               symbol_lookup = 1,
               no_fork = 0;    /* don't fork - don't run in daemon mode */

-static int     clear_kernbuf = 0;
-
static char    *symfile = (char *) 0,
               log_buffer[LOG_BUFFER_SIZE];

@@ -999,15 +997,12 @@ int main(argc, argv)
       chdir ("/");
#endif
       /* Parse the command-line. */
-       while ((ch = getopt(argc, argv, "Cc:df:iIk:nopsvx2")) != EOF)
+       while ((ch = getopt(argc, argv, "c:df:iIk:nopsvx2")) != EOF)
               switch((char)ch)
               {
                   case '2':           /* Print lines with symbols twice. */
                       symbols_twice = 1;
                       break;
-                   case 'C':           /* Clear kernel ring buffer */
-                       clear_kernbuf = 1;
-                       break;
                   case 'c':           /* Set console message level. */
                       log_level = optarg;
                       break;
@@ -1194,18 +1189,6 @@ int main(argc, argv)
                               pause();
                               break;
               }
-               if (clear_kernbuf) {
-                       int x;
-                       /* 9 -- Return number of unread characters */
-                       if ((x = ksyslog(9, NULL, 0)) == 0) {
-                               /* 5 -- Clear ring buffer. */
-                               x = ksyslog(5, NULL, 0);
-                               if (debugging && (x < 0))
-                                       perror("klogctl(5, NULL, 0");
-                       }
-                       else if (debugging && (x < 0))
-                               perror("klogctl(9, NULL, 0)");
-               }
       }
}
/*