> That grants additional rights to the `adm` group that it did not have
> before, for example to clear the dmesg buffer:
>
> $ dmesg --clear
>
> works after adding `cap_syslog` to the dmesg binary whereas it did not
> work before.
Chris Hofstaedtler, the maintainer of util-linux, mentions that granting such powers to members of adm is more or less unacceptable:
> Re-enabling dmesg for the %adm group does not seem to add value for
> Debian now, and granting the --clear (and other) permissions seems
> to be too much.
As per my most recent email to ubuntu-devel, I am marking the changes to util-linux as Won't Fix.
Relevant mailing list discussion (for future reference):
Ansgar responded on debian-devel mentioning that adding cap_syslog to dmesg enables the user to clear the kernel log buffer:
https:/ /lists. debian. org/debian- devel/2020/ 08/msg00121. html>>
> That grants additional rights to the `adm` group that it did not have
> before, for example to clear the dmesg buffer:
>
> $ dmesg --clear
>
> works after adding `cap_syslog` to the dmesg binary whereas it did not
> work before.
Chris Hofstaedtler, the maintainer of util-linux, mentions that granting such powers to members of adm is more or less unacceptable:
https:/ /lists. ubuntu. com/archives/ ubuntu- devel/2020- August/ 041151. html
> Re-enabling dmesg for the %adm group does not seem to add value for
> Debian now, and granting the --clear (and other) permissions seems
> to be too much.
This was further acked by Steve Langasek:
https:/ /lists. ubuntu. com/archives/ ubuntu- devel/2020- August/ 041152. html
> I agree, and on that basis I also do not believe we should include this
> change to util-linux in Ubuntu.
Because of this, I will no longer pursue opening dmesg up to users in the adm group, or at least until cap_syslog gets a read-only sister capability.
Hopefully Ubuntu users won't be too inconvenienced by having to run dmesg as superuser.
Users can always turn off the behaviour, by setting "kernel. dmesg_restrict = 0" in /etc/sysctl. d/10-kernel- hardening. conf