diff options
author | Serge E. Hallyn <serge@hallyn.com> | 2010-12-08 10:19:01 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-12-08 17:48:48 -0500 |
commit | 38ef4c2e437d11b5922723504b62824e96761459 (patch) | |
tree | ccec1f38348af3c2776fc5bc0b589e14504f4b33 /Documentation/sysctl/kernel.txt | |
parent | 5c6d1125f8dbd1bfef39e38fbc2837003be78a59 (diff) |
syslog: check cap_syslog when dmesg_restrict
Eric Paris pointed out that it doesn't make sense to require
both CAP_SYS_ADMIN and CAP_SYSLOG for certain syslog actions.
So require CAP_SYSLOG, not CAP_SYS_ADMIN, when dmesg_restrict
is set.
(I'm also consolidating the now common error path)
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: Eric Paris <eparis@redhat.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'Documentation/sysctl/kernel.txt')
-rw-r--r-- | Documentation/sysctl/kernel.txt | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index 209e1584c3dc..574067194f38 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt | |||
@@ -219,7 +219,7 @@ dmesg_restrict: | |||
219 | This toggle indicates whether unprivileged users are prevented from using | 219 | This toggle indicates whether unprivileged users are prevented from using |
220 | dmesg(8) to view messages from the kernel's log buffer. When | 220 | dmesg(8) to view messages from the kernel's log buffer. When |
221 | dmesg_restrict is set to (0) there are no restrictions. When | 221 | dmesg_restrict is set to (0) there are no restrictions. When |
222 | dmesg_restrict is set set to (1), users must have CAP_SYS_ADMIN to use | 222 | dmesg_restrict is set set to (1), users must have CAP_SYSLOG to use |
223 | dmesg(8). | 223 | dmesg(8). |
224 | 224 | ||
225 | The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default | 225 | The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default |