--- src/sys/kern/subr_prf.c	2004/09/13 16:22:36	1.8
+++ src/sys/kern/subr_prf.c	2005/09/29 20:43:56	1.9
@@ -100,6 +100,11 @@ TUNABLE_INT("kern.log_console_output", &
 SYSCTL_INT(_kern, OID_AUTO, log_console_output, CTLFLAG_RW,
     &log_console_output, 0, "");
 
+static int unprivileged_read_msgbuf = 1;
+SYSCTL_INT(_kern, OID_AUTO, unprivileged_read_msgbuf, CTLFLAG_RW,
+    &unprivileged_read_msgbuf, 0,
+    "Unprivileged processes may read the kernel message buffer");
+
 /*
  * Warn that a system table is full.
  */
@@ -868,12 +873,28 @@ msgbufinit(void *ptr, size_t size)
 }
 
 /* Sysctls for accessing/clearing the msgbuf */
+
 static int
 sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS)
 {
+	struct ucred *cred;
 	int error;
 
 	/*
+	 * Only wheel or root can access the message log.
+	 */
+	if (unprivileged_read_msgbuf == 0) {
+		KKASSERT(req->td->td_proc);
+		cred = req->td->td_proc->p_ucred;
+
+		if ((cred->cr_prison || groupmember(0, cred) == 0) &&
+		    suser(req->td) != 0
+		) {
+			return (EPERM);
+		}
+	}
+
+	/*
 	 * Unwind the buffer, so that it's linear (possibly starting with
 	 * some initial nulls).
 	 */