Access Parity to system logs...

I noticed recently that the Manjaro kernel now requires sudo privileges to execute dmesg. I understand the reasons why. However, a normal user can execute journalctl -f to stream system logs. For sake of consistency and security, prohibit non-root users to execute journalctl as well or at least limit its output to user level logs.

For dmesg it can be set and unset with sysctl, and the current setup is more or less the modern default across tons of distros. Not so much 'the manjaro kernel'. See here:

As to the journal:

man journalctl :

All users are granted access to their private per-user journals. However, by default, only root and users who are members of a few special groups are granted access to the
system journal and the journals of other users. Members of the groups "systemd-journal", "adm", and "wheel" can read all journal files. Note that the two latter groups
traditionally have additional privileges specified by the distribution. Members of the "wheel" group can often perform administrative tasks.

...So are we saying initial (first, single, from install) users should not be part of the wheel group?
That would make using the system a bit harder.

For new users after the initial (admin) user .. you can certainly decide which groups they are in.

One way to provide parity would be if dmesg was also accessible to users of the wheel or adm groups in the same way.

I don't know how involved that would be, or whether it would just need an /etc/sudoers.d entry.

Still trying to decide if I technically more agree in tightening journalctl - but I dont see a clear path.
Whereas 'opening' dmesg seems easier, would keep things more 'familiar' for users, but is technicaaly making us less secure, instead of more.

Is it less secure if the user is in an administrative group, though?

I suppose not.
I guess it made me squeamish because dmesg certainly exposes a lot more, including network info.

1 Like

Do you have any ideas about how to implement this?

I would say, yes, it is still less secure.

I suspect people use accounts in wheel or adm to use their PCs so any compromise would give access to logs.

@dalto .. yeah part of my knee-jerk too because of userspace activity .. but again - if such a user is compromised, so is root.

You know .. on further thinking.
From something like a server standpoint the groups would be more secure than root, because of course, guessing cscs is harder than guessing 'root' or 'admin'. See - your router :wink:

I guess a way would be sudoers:

%wheel ALL=NOPASSWD: /usr/bin/dmesg

Then to skip the typing of 'sudo' you could use something like an alias or script..

1 Like