Why did dmesg become a priveleged operation suddenly?

Thanks. Unfortunately, when I enter this into terminal, it says 'no such file or directory'. I tried with and without 'sudo'. I know how to create a .conf file, and should then just enter the second line of code? Nothing horrible can happen from creating the 99-sysctl.conf?

Simply create it.

No. You could also create a 87-manjaro-is-great.conf without anything going to happen. Only the content of the file makes things happen.

1 Like

Cool, thank you. I'll create the 99-sysctl.conf, and add
echo 'kernel.dmesg_restrict=0' | sudo tee -a /etc/sysctl.d/99-sysctl.conf

No, the content of that file will be:
kernel.dmesg_restrict=0
and nothing else.

1 Like

Thank you very much for correcting me on that.

Sorry for necro bumping, just an important precision to add in case there is people reading it.

Well, by default, access to system logs on journalctl is restricted to root and certain users that are member of certain groups: the most notable one being wheel (which is the group for administrators, or sudoers if you prefer, on a standard Manjaro system).

So unless Manjaro changed the defaults on that one, journalctl is already locked down on that aspect.

Quote from man journalctl.

All users are granted access to their private per-user journals.
However, by default, only root and users who are members of a few
special groups are granted access to the system journal and the
journals of other users. Members of the groups "systemd-journal",
"adm", and "wheel" can read all journal files. Note that the two latter
groups traditionally have additional privileges specified by the
distribution. Members of the "wheel" group can often perform
administrative tasks.

1 Like

I love RTFMing, but have you confirmed? With a no-wheels user?

That was of course a very good question and yes, I do confirm that it also works in practice on Manjaro. Here's what I get if I use journalctl -k (for kernel messages) and journalctl -xe --unit=smb.service (for a random system-wide service). journalctl does warn you that you are not a member of either adm, systemd-journald or wheel and therefore, can't see any logs for other users or for the system.

[peasant@mjrgnome ~]$ id
uid=1001(peasant) gid=1001(peasant) groups=1001(peasant)
[peasant@mjrgnome ~]$ journalctl -k
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
      Pass -q to turn off this notice.
-- Logs begin at Thu 2019-05-23 06:43:02 EDT, end at Thu 2019-05-23 06:45:16 ED>
-- No entries --
[peasant@mjrgnome ~]$ journalctl -xe --unit=smb.service
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
      Pass -q to turn off this notice.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
-- Logs begin at Thu 2019-05-23 06:43:02 EDT, end at Thu 2019-05-23 06:45:16 ED>
-- No entries --
[peasant@mjrgnome ~]$ 

If I type journalctl -xe, it will only show the logs that this low-privileged user is allowed to see, for example logs for its own, personal systemd units.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by