Created attachment 243439 [details] Fix /var/log/messages and /var/run/dmesg.boot permissions If a regular user that does not belong to to the wheel group issues: % dmesg -a dmesg: sysctl kern.msgbuf: Operation not permitted However, a user may circumvent this restriction by either: % cat /var/log/messages Or % cat /var/run/dmesg.boot Set the proper permissions to both files. Fix relevant manual pages. Given that this has been the normal behavior since the beginning, maybe the fix should be the other way around?
Created attachment 243440 [details] Fix the umask
I don't think this is about user being in wheel and rather about security.bsd.unprivileged_read_msgbuf set to 0? $ sysctl security.bsd.unprivileged_read_msgbuf security.bsd.unprivileged_read_msgbuf: 0 $ groups staff wheel operator $ dmesg dmesg: sysctl kern.msgbuf: Operation not permitted May be relevant option in the installer should apply the permissions as well?
(In reply to Yuri Pankov from comment #2) Got it. What about the permissions? Accessible only to the root user as well, i.e., 0600?
Created attachment 243453 [details] Patch bsdinstall Follow the instructions in commit 6f3933fa6fbd021bf6f24543e91489283eafd698, and set the proper permissions to both files from the bsdinstall hardening script. For this patch to work I must first remove the hard-wired umask setting from /etc/rc.d/dmesg and set dmesg_umask (separate commit).
Note so self: https://reviews.freebsd.org/D36309 has been MFCd down to 12, /etc/rc.d scripts (chiefly dmesg) can be adapted to use it. There is a strong desire to remove the hardening menu from the installer, in the meantime, I think this could be beneficial.