272552 – Fix /var/log/messages and /var/run/dmesg.boot permissions when disabling read_msgbuf in the installer's hardening menu

Bug 272552 - Fix /var/log/messages and /var/run/dmesg.boot permissions when disabling read_msgbuf in the installer's hardening menu

Summary: Fix /var/log/messages and /var/run/dmesg.boot permissions when disabling read...

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	conf (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-07-17 20:46 UTC by Jose Luis Duran
Modified:	2023-12-02 12:40 UTC (History)
CC List:	0 users

See Also:

Attachments
Fix /var/log/messages and /var/run/dmesg.boot permissions (2.00 KB, patch) 2023-07-17 20:46 UTC, Jose Luis Duran	no flags	Details \| Diff
Fix the umask (2.00 KB, patch) 2023-07-17 20:56 UTC, Jose Luis Duran	no flags	Details \| Diff
Patch bsdinstall (1.42 KB, patch) 2023-07-18 05:18 UTC, Jose Luis Duran	no flags	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jose Luis Duran 2023-07-17 20:46:23 UTC

Created attachment 243439 [details]
Fix /var/log/messages and /var/run/dmesg.boot permissions

If a regular user that does not belong to to the wheel group issues:

    % dmesg -a
    dmesg: sysctl kern.msgbuf: Operation not permitted

However, a user may circumvent this restriction by either:

    % cat /var/log/messages

Or

    % cat /var/run/dmesg.boot

Set the proper permissions to both files.  Fix relevant manual pages.

Given that this has been the normal behavior since the beginning, maybe the fix should be the other way around?

Comment 1 Jose Luis Duran 2023-07-17 20:56:16 UTC

Created attachment 243440 [details]
Fix the umask

Comment 2 Yuri Pankov freebsd_committer

2023-07-17 22:34:46 UTC

I don't think this is about user being in wheel and rather about security.bsd.unprivileged_read_msgbuf set to 0?

$ sysctl security.bsd.unprivileged_read_msgbuf
security.bsd.unprivileged_read_msgbuf: 0
$ groups
staff wheel operator
$ dmesg
dmesg: sysctl kern.msgbuf: Operation not permitted

May be relevant option in the installer should apply the permissions as well?

Comment 3 Jose Luis Duran 2023-07-18 00:17:05 UTC

(In reply to Yuri Pankov from comment #2)

Got it.
What about the permissions? Accessible only to the root user as well, i.e., 0600?

Comment 4 Jose Luis Duran 2023-07-18 05:18:19 UTC

Created attachment 243453 [details]
Patch bsdinstall

Follow the instructions in commit 6f3933fa6fbd021bf6f24543e91489283eafd698, and set the proper permissions to both files from the bsdinstall hardening script.

For this patch to work I must first remove the hard-wired umask setting from /etc/rc.d/dmesg and set dmesg_umask (separate commit).

Comment 5 Jose Luis Duran 2023-12-02 12:40:05 UTC

Note so self:
https://reviews.freebsd.org/D36309 has been MFCd down to 12, /etc/rc.d scripts (chiefly dmesg) can be adapted to use it.
There is a strong desire to remove the hardening menu from the installer, in the meantime, I think this could be beneficial.