> On Jul 21, 2017, at 12:22 PM, Theo de Raadt <dera...@openbsd.org> wrote: > >>> On Jul 21, 2017, at 3:47 AM, Stuart Henderson <s...@spacehopper.org> = >> wrote: >>> =20 >>> On 2017-07-20, BARDOU Pierre <bardo...@mipih.fr> wrote: >>>> Is there a way to make sysctl re-read its conf file, or even another = >> file, like sysctl -p does on linux systems ? >>>> Supporting this option would be nice, as it is used by the sysctl = >> module of ansible. >>> =20 >>> Sounds risky. It won't reset default values thag are unspecified in >>> sysctl.conf, so you could be sitting on a configuration that appears = >> ok, >>> but will fail after a reboot. >> >> Stuart makes a good point. So does Theo, adding -p to the sysctl binary = >> when >> it doesn't currently do any file handling at all seems extreme. So I = >> wrote a >> wrapper script that emulates Linux sysctl -p. I put very simple = >> directions >> at the top of the file. Find it here: >> >> https://gist.github.com/PeterFaiman/5b67c530b0ffa009ebef904ed0678e26 >> >> Ideally these tools wouldn't use Linux-specific features. But emulating >> simple features like sysctl -p in a non-invasive way isn't too hard. > > One more point to add: > > Some setting can only be changed before securelevel. They fail afterwards. > > I'd say the entire approach is wrong, because it cannot tell them apart. > It will fail halfway. > > It was obviously written by people who don't care.
True, there is no way to get around the securelevel problem without rebooting, by definition. But if this MUST be done with these workflow constraints, I think this is the "best" way to do it. Also it does not fail halfway, it will report errors for each of the settings that cannot be applied, e.g. with a config that sets kern.securelevel=0 and net.inet.udp.sendspace=9216, this happens: # ./sysctl -p example.conf sysctl: kern.securelevel: Operation not permitted net.inet.udp.sendspace: 9216 -> 9216 Peter
