On 17/3/25 09:38, Todd Zullinger wrote:
Stephen Morris wrote:
Just a query first off, why do I need to run dmesg under sudo for it to produce its output?
In Fedora 39 (or there about), the CONFIG_SECURITY_DMESG_RESTRICT kernel config was changed. The commit in the Fedora kernel source tree provides some useful details¹:
Turn on SECURITY_DMESG_RESTRICT It was requested by ProdSec that we enable SECURITY_DMESG_RESTRICT as this makes several security bugs more difficult to exploit. It should be noted that this just controls the default setting of kernel.dmesg_restrict sysctl and thus can be always set back to 0 at runtime. Users in the wheel group also have access to journalctl -k or sudo for dmesg access without giving it to every user on the system.¹ https://gitlab.com/cki-project/kernel-ark/-/commit/ed5ba266c6
Thanks Todd, it's been quite a while since I've used DMESG, but I don't remember ever having to use sudo with it, nor do I remember ever seeing the message about kernel buffer access being denied, but it just means I will now have to always remember to use sudo with it. Although logically it doesn't make sense to me, it is only a read so what damage can a read do, but then there are also folders under /etc that you can't issue an LS against without sudo, so I guess it's just the same thing.
regards, Steve