mrmagoo Posted May 26, 2005 Report Share Posted May 26, 2005 Hi! Is there a way to make firewall logs unreadable by users? In general: is there a way to restrict dmesg(8) output to only the superuser? One way would be a daemon that runs "dmesg -c" every second, but this can't be the better way... Is there a device file I can chmod(1) to accomplish this? Quote Link to comment Share on other sites More sharing options...
aioshin Posted May 27, 2005 Report Share Posted May 27, 2005 #chmod o-x /bin/dmesg that will remove the x or execute capabitlity of other users, and only root and root group can run it Quote Link to comment Share on other sites More sharing options...
mrmagoo Posted May 27, 2005 Author Report Share Posted May 27, 2005 #chmod o-x /bin/dmesgthat will remove the x or execute capabitlity of other users, and only root and root group can run it <{POST_SNAPBACK}> Well, it's not a solution either, because it's trivial to download the rpm or compile a C program that calls klogctl(2) Moreover, I could just copy it to /tmp and execute it (since you didn't turn off the read bits)... The situation is worse, and the klogctl manpage is misleading... It says: Quoting from kernel/printk.c: /* * Commands to sys_syslog: * * 0 -- Close the log. Currently a NOP. * 1 -- Open the log. Currently a NOP. * 2 -- Read from the log. * 3 -- Read up to the last 4k of messages in the ring buffer. ..... Only function 3 is allowed to non-root processes. and my kernel source says: * 3 -- Read all messages remaining in the ring buffer. So, the solution would be recompiling the kernel (overkill), a daemon that calls dmesg repeatedly (ugly), or using ULOG (which I think adds a little overhead) I prefer #2, is there some other way ? Quote Link to comment Share on other sites More sharing options...
mrmagoo Posted June 4, 2005 Author Report Share Posted June 4, 2005 Well, I finally found a way... I just patched klogd(8) to clear the kernel ring buffer everytime when there are no bytes unread... Here's the diff for sysklogd-1.4.1-6mdk 305,306d304 < static int clear_kernbuf = 0; < 1002c1000 < while ((ch = getopt(argc, argv, "Cc:df:iIk:nopsvx2")) != EOF) --- > while ((ch = getopt(argc, argv, "c:df:iIk:nopsvx2")) != EOF) 1008,1010d1005 < case 'C': /* Clear kernel ring buffer */ < clear_kernbuf = 1; < break; 1197,1208d1191 < if (clear_kernbuf) { < int x; < /* 9 -- Return number of unread characters */ < if ((x = ksyslog(9, NULL, 0)) == 0) { < /* 5 -- Clear ring buffer. */ < x = ksyslog(5, NULL, 0); < if (debugging && (x < 0)) < perror("klogctl(5, NULL, 0"); < } < else if (debugging && (x < 0)) < perror("klogctl(9, NULL, 0)"); < } Added a brand new option -C which should be in /etc/sysconfig/syslog too Quote Link to comment Share on other sites More sharing options...
Qchem Posted June 10, 2005 Report Share Posted June 10, 2005 It may be worth passing the patch upstream, to see if anyone would find it useful. Quote Link to comment Share on other sites More sharing options...
mrmagoo Posted June 11, 2005 Author Report Share Posted June 11, 2005 Neither msyslog, nor syslog-ng, nor metalog clears the kernel log buffer, and it would be worth to patch them too since they appear to be more security-driven. It would be even more interesting if Mandrake support these packages. Only syslog-ng is in contrib. Anyway, the patch for sysklogd-1.4.1-6mdk (shipped with Mandrake 10.1) is this: diff -u -p klogd.c klogd.c.orig --- klogd.c 2005-06-03 23:59:27.000000000 -0400 +++ klogd.c.orig 2005-06-03 23:11:59.000000000 -0400 @@ -302,8 +302,6 @@ static int use_syscall = 0, symbol_lookup = 1, no_fork = 0; /* don't fork - don't run in daemon mode */ -static int clear_kernbuf = 0; - static char *symfile = (char *) 0, log_buffer[LOG_BUFFER_SIZE]; @@ -999,15 +997,12 @@ int main(argc, argv) chdir ("/"); #endif /* Parse the command-line. */ - while ((ch = getopt(argc, argv, "Cc:df:iIk:nopsvx2")) != EOF) + while ((ch = getopt(argc, argv, "c:df:iIk:nopsvx2")) != EOF) switch((char)ch) { case '2': /* Print lines with symbols twice. */ symbols_twice = 1; break; - case 'C': /* Clear kernel ring buffer */ - clear_kernbuf = 1; - break; case 'c': /* Set console message level. */ log_level = optarg; break; @@ -1194,18 +1189,6 @@ int main(argc, argv) pause(); break; } - if (clear_kernbuf) { - int x; - /* 9 -- Return number of unread characters */ - if ((x = ksyslog(9, NULL, 0)) == 0) { - /* 5 -- Clear ring buffer. */ - x = ksyslog(5, NULL, 0); - if (debugging && (x < 0)) - perror("klogctl(5, NULL, 0"); - } - else if (debugging && (x < 0)) - perror("klogctl(9, NULL, 0)"); - } } } /* Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.