2

As I can find in Mac OS X

smarek:~ marekseberaold$ dmesg
Unable to obtain kernel buffer: Operation not permitted
usage: sudo dmesg

Is this really important, to disable access to dmesg output for non-root / non-administrative users? Why is Apple doing this at all?

Marek Sebera
  • 154
  • 10
  • Apparently, the need to run as root comes from the [original BSD command](http://developer.apple.com/library/mac/#documentation/Darwin/Reference/Manpages/man8/dmesg.8.html). I think that modern FreeBSD has abandoned the need for root `dmesg`. – new123456 Jan 26 '12 at 12:15

1 Answers1

3

A clear "yes" from my side:

An attacker can use it to snoop kernel messages, e.g. about segfaults, kernel errors and thus use it as feedback loop for exploit optimization. Another usecase: the iptables LOG target will write to same buffer, information about connections of other users can then be misused to spoof packets with better chance for success.

I guess someone skilled will find even more ways to use dmesg to aid in privilege escalation.

user427616
  • 46
  • 2
  • A recent example on Linux: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html `kernel.dmesg_restrict` is the kernel flag. Similarly, `hidepids` on `/proc` can help. One needs to be careful to not inconvenience users too much, though -- especially if they already have access to `/var/log/kern.log` and the like (e.g., `adm` group) – Jacopo Oct 11 '18 at 05:39