2
2
As I can find in Mac OS X
smarek:~ marekseberaold$ dmesg
Unable to obtain kernel buffer: Operation not permitted
usage: sudo dmesg
Is this really important, to disable access to dmesg output for non-root / non-administrative users? Why is Apple doing this at all?
Marek Sebera
Posted 2012-01-25T23:07:47.333
Reputation: 150
3
A clear "yes" from my side:
An attacker can use it to snoop kernel messages, e.g. about segfaults, kernel errors and thus use it as feedback loop for exploit optimization. Another usecase: the iptables LOG target will write to same buffer, information about connections of other users can then be misused to spoof packets with better chance for success.
I guess someone skilled will find even more ways to use dmesg to aid in privilege escalation.
user427616
Posted 2012-01-25T23:07:47.333
Reputation: 46
A recent example on Linux: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
kernel.dmesg_restrict is the kernel flag. Similarly, hidepids on /proc can help. One needs to be careful to not inconvenience users too much, though -- especially if they already have access to /var/log/kern.log and the like (e.g., adm group)
Apparently, the need to run as root comes from the original BSD command. I think that modern FreeBSD has abandoned the need for root
– new123456 – 2012-01-26T12:15:56.040dmesg.