Date: Fri, 30 Nov 2001 16:47:15 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern subr_prf.c Message-ID: <Pine.NEB.3.96L.1011130164444.88343F-100000@fledge.watson.org> In-Reply-To: <200111302140.fAULeq956949@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Note that when this sysctl is set to '0', dmesg is no longer available from within jails. One rationale for this change is that the kernel message buffer can be the target of a number of confidential pieces of information, including single-user mode output, process information at run-time, etc. Sites that use kern.security.bsd.see_other_uids will probably want to use this sysctl also, for that reason if not others. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Fri, 30 Nov 2001, Robert Watson wrote: > rwatson 2001/11/30 13:40:52 PST > > Modified files: > sys/kern subr_prf.c > Log: > o Introduce kern.security.bsd.unprivileged_read_msgbuf, which allows > the administrator to restrict access to the kernel message buffer. > It defaults to '1', which permits access, but if set to '0', requires > that the process making the sysctl() have appropriate privilege. > o Note that for this to be effective, access to this data via system > logs derived from /dev/klog must also be limited. > > Obtained from: TrustedBSD Project > Sponsored by: DARPA, NAI Labs > > Revision Changes Path > 1.74 +13 -0 src/sys/kern/subr_prf.c > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1011130164444.88343F-100000>