Re: [systemd-devel] [PATCH] Split sysctl 50-default.conf setting file
On Mon, Dec 02, 2013 at 09:15:37PM +0100, Goffredo Baroncelli wrote: Hi all, currently systemd contains a sysctl default setting in a file called 50-default.conf The aim of this patch is to split the content of the sysctl setting in more files to allow a more selective override. Hi Goffredo, I think that the misunderstading is that you *can* override invidual settings. If you provide a file with a name higher in order, containing just sysctl.sysrq override, just this setting will be overriden. BTW, Kay, why is the default so conservative here (sysrq only)? I would think that the general principle that the user who has physical access to the machine and can flip the power switch should be able to do various things which are disruptive, but not are not proviledge escalation (let's call them reboot-like). +# 1 - enable all functions of sysrq +# 1 - bitmask of allowed sysrq functions (see below for detailed function +# description): +# 2 - enable control of console logging level +# 4 - enable control of keyboard (SAK, unraw) +# 8 - enable debugging dumps of processes etc. +# 16 - enable sync command +# 32 - enable remount read-only +# 64 - enable signalling of processes (term, kill, oom-kill) +#128 - allow reboot/poweroff +#256 - allow nicing of all RT tasks + +kernel.sysrq = 16 # only enable sync command Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Split sysctl 50-default.conf setting file
On 2013-12-02 21:32, Kay Sievers wrote: On Mon, Dec 2, 2013 at 9:15 PM, Goffredo Baroncelli kreij...@libero.it wrote: currently systemd contains a sysctl default setting in a file called 50-default.conf The aim of this patch is to split the content of the sysctl setting in more files to allow a more selective override. My need is to enable all the sysrq key. Instead systemd defaults is to disallow all sysrq keys except the sync one [1]. To do that, I would have to override the sysctl file /usr/lib/sysctl.d/50-default.conf file, putting a file with the same name in /etc/sysctl.d However this file contains other settings than the one which I want to override; so I would lost any update of these other settings made by upstream. With this patch I am able to override only the setting related to the sysrq. You should be able to overwrite individual settings just fine. I don't think this is needed. What happens if the same sysctl is present is in two files: the value is written two times, or systemd-sysctl is smart enough to write only the last one ? I have to point out that I spent some time to find who changed this setting when I installed systemd. A more explicit name file would helped. create mode 100644 sysctl.d/50-default_kernel_sysrq.conf We usually don't do _ in file names. :) Just for curiosity: there is a rationale or it is a convention (I am fine with removing _, but I am curious about the reason) Kay ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- gpg @keyserver.linux.it: Goffredo Baroncelli (kreijackATinwind.it Key fingerprint BBF5 1610 0B64 DAC6 5F7D 17B2 0EDA 9B37 8B82 E0B5 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Split sysctl 50-default.conf setting file
On Mon, Dec 02, 2013 at 10:27:45PM +0100, Goffredo Baroncelli wrote: On 2013-12-02 21:38, Zbigniew Jędrzejewski-Szmek wrote: On Mon, Dec 02, 2013 at 09:15:37PM +0100, Goffredo Baroncelli wrote: Hi all, currently systemd contains a sysctl default setting in a file called 50-default.conf The aim of this patch is to split the content of the sysctl setting in more files to allow a more selective override. Hi Goffredo, I think that the misunderstading is that you *can* override invidual settings. If you provide a file with a name higher in order, containing just sysctl.sysrq override, just this setting will be overriden. Yes am doing so. But IIRC the process order of the sysctl file was inverted near systemd 207... Because Debian uses 204, when it switches to something more recent than 207 this setup will not work any more :-( so I have to change the order number. Yes, that unfortunate :), but easy to work around: just install the file with a high number, and symlink with a low number. The symlink can be removed after update to 208. Anyway I think that it is more clean to separate the setting in more files. This would make the number of files equal to the number of settings we are changing, which would be messy. BTW, Kay, why is the default so conservative here (sysrq only)? I would think that the general principle that the user who has physical access to the machine and can flip the power switch should be able to do various things which are disruptive, but not are not proviledge escalation (let's call them reboot-like). I agree with you Kay explained in IRC that we do not allow such actions, because access to the keyboad doesn't mean full access to the machine, and we default to safe settings. Allowing the reboot though logind is different, because the user must authenticate first to open a session. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Split sysctl 50-default.conf setting file
Hi Zbyszek On 2013-12-02 23:27, Zbigniew Jędrzejewski-Szmek wrote: On Mon, Dec 02, 2013 at 10:27:45PM +0100, Goffredo Baroncelli wrote: [...] Yes am doing so. But IIRC the process order of the sysctl file was inverted near systemd 207... Because Debian uses 204, when it switches to something more recent than 207 this setup will not work any more :-( so I have to change the order number. Yes, that unfortunate :), but easy to work around: just install the file with a high number, and symlink with a low number. The symlink can be removed after update to 208. Thanks, good suggestions Anyway I think that it is more clean to separate the setting in more files. This would make the number of files equal to the number of settings we are changing, which would be messy. This is not the first case that a config file is split in several sub-files. The config.d directories are a typical example. I have ne question: what happens if a sysctl setting is in more than one file ? systemd-sysctl is smart enough to write the last value or perform several writes ? BTW, Kay, why is the default so conservative here (sysrq only)? I would think that the general principle that the user who has physical access to the machine and can flip the power switch should be able to do various things which are disruptive, but not are not proviledge escalation (let's call them reboot-like). I agree with you Kay explained in IRC that we do not allow such actions, because access to the keyboad doesn't mean full access to the machine, and we default to safe settings. Allowing the reboot though logind is different, because the user must authenticate first to open a session. Sorry, but I cannot agree: from a theoretical point of view Kay has reason. However who has access to the keyboard and not to the power switch ? If I want to switch the PC and the software cannot allow it, I unplug the main power... I think that we should give access to other keys like: - Boot - Reboot - powerOff - Umount - often my Xorg freez and syrq-K is also useful Goffredo Zbyszek -- gpg @keyserver.linux.it: Goffredo Baroncelli (kreijackATinwind.it Key fingerprint BBF5 1610 0B64 DAC6 5F7D 17B2 0EDA 9B37 8B82 E0B5 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Split sysctl 50-default.conf setting file
On Mon, Dec 2, 2013 at 11:52 PM, Goffredo Baroncelli kreij...@libero.it wrote: I have ne question: what happens if a sysctl setting is in more than one file ? systemd-sysctl is smart enough to write the last value or perform several writes ? One write only, it logs at info level about overwritten values. Kay explained in IRC that we do not allow such actions, because access to the keyboad doesn't mean full access to the machine, and we default to safe settings. Allowing the reboot though logind is different, because the user must authenticate first to open a session. Sorry, but I cannot agree: from a theoretical point of view Kay has reason. However who has access to the keyboard and not to the power switch ? If I want to switch the PC and the software cannot allow it, I unplug the main power... The keyboard is surely not the computer itself, the wires or the reset or power button. Login prompts must not have the ability to trigger unsafe options with the keyboard alone. I think that we should give access to other keys like: - Boot - Reboot - powerOff - Umount Sure it's useful for you as it is for me on my box, but it is not a safe default. You need to set it locally, we cannot do that. Kay ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Split sysctl 50-default.conf setting file
On Dec 3, 2013 1:51 AM, Tom Gundersen t...@jklm.no wrote: On Tue, Dec 3, 2013 at 12:04 AM, Kay Sievers k...@vrfy.org wrote: On Mon, Dec 2, 2013 at 11:52 PM, Goffredo Baroncelli kreij...@libero.it wrote: I have ne question: what happens if a sysctl setting is in more than one file ? systemd-sysctl is smart enough to write the last value or perform several writes ? One write only, it logs at info level about overwritten values. Kay explained in IRC that we do not allow such actions, because access to the keyboad doesn't mean full access to the machine, and we default to safe settings. Allowing the reboot though logind is different, because the user must authenticate first to open a session. Sorry, but I cannot agree: from a theoretical point of view Kay has reason. However who has access to the keyboard and not to the power switch ? If I want to switch the PC and the software cannot allow it, I unplug the main power... The keyboard is surely not the computer itself, the wires or the reset or power button. Login prompts must not have the ability to trigger unsafe options with the keyboard alone. It is useful to imagine an internet cafe, a library, or a school, where the user may only have physical access to the keyboard, and not the machine itself. But logind needs to be reconfigured anyway to disallow reboots in this situation, so why would sysctl be different? Also Ctrl-Alt-Del and/or the login manager's Reboot option. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Split sysctl 50-default.conf setting file
On Tue, Dec 3, 2013 at 12:55 AM, Mantas Mikulėnas graw...@gmail.com wrote: On Dec 3, 2013 1:51 AM, Tom Gundersen t...@jklm.no wrote: On Tue, Dec 3, 2013 at 12:04 AM, Kay Sievers k...@vrfy.org wrote: On Mon, Dec 2, 2013 at 11:52 PM, Goffredo Baroncelli kreij...@libero.it wrote: I have ne question: what happens if a sysctl setting is in more than one file ? systemd-sysctl is smart enough to write the last value or perform several writes ? One write only, it logs at info level about overwritten values. Kay explained in IRC that we do not allow such actions, because access to the keyboad doesn't mean full access to the machine, and we default to safe settings. Allowing the reboot though logind is different, because the user must authenticate first to open a session. Sorry, but I cannot agree: from a theoretical point of view Kay has reason. However who has access to the keyboard and not to the power switch ? If I want to switch the PC and the software cannot allow it, I unplug the main power... The keyboard is surely not the computer itself, the wires or the reset or power button. Login prompts must not have the ability to trigger unsafe options with the keyboard alone. It is useful to imagine an internet cafe, a library, or a school, where the user may only have physical access to the keyboard, and not the machine itself. But logind needs to be reconfigured anyway to disallow reboots in this situation, so why would sysctl be different? No, logind requires an active session of a locally logged-in user. That is safe enough for a default. A login prompt only should not be able to do that. Also Ctrl-Alt-Del and/or the login manager's Reboot option. This will go away with when we move to systemd-consoled from kernel VTs, it can do the same logic as logind. Kay ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel