On Wed, 10 Feb 2021 at 21:09, <intrig...@debian.org> wrote: > I have set fs.protected_fifos=2 in /etc/sysctl.conf. > My intent is to override procps' protect-links.conf, > which sets fs.protected_fifos=1. > > Under systemd, /etc/sysctl.conf is actually loaded via the > /etc/sysctl.d/99-sysctl.conf symlink, which sorts before > protect-links.conf, so the distro setting from protect-links.conf > overrides the custom value I've set in /etc/sysctl.conf. >
Hi, Are you sure you are still seeing this in 3.3.17? The directory orders got changed around in that release so it might be fixed already. $ strace sysctl --system 2>&1 | egrep 'openat.*(etc|lib)/sys' openat(AT_FDCWD, "/etc/sysctl.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 openat(AT_FDCWD, "/usr/local/lib/sysctl.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/sysctl.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 openat(AT_FDCWD, "/lib/sysctl.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 openat(AT_FDCWD, "/usr/lib/sysctl.d/10-test1.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/sysctl.d/30-tracker.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/sysctl.d/50-bubblewrap.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib/sysctl.d/50-pid-max.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/sysctl.d/99-sysctl.conf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/sysctl.d/999-test1.conf", O_RDONLY) = 3 openat(AT_FDCWD, "*/usr/lib/sysctl.d/protect-links.conf*", O_RDONLY) = 3 openat(AT_FDCWD, "*/etc/sysctl.conf*", O_RDONLY) = 3 /etc/sysctl.conf is read after /usr/lib/sysctl.d/protect-links.conf That's what you wanted right? I find this counter-intuitive: I would expect whatever I write in > /etc/sysctl.conf to override distro defaults. This has historically > It does. See how it changes from 1 to 2, or am I missing something? What is odd is it calls /etc/sysctl.conf twice, but that's due to the symlink. root@floyd:~# sysctl fs.protected_fifos *fs.protected_fifos = 1* root@floyd:~# grep fs.protected_fifos /etc/sysctl.conf /usr/lib/sysctl.d/protect-links.conf /etc/sysctl.conf:fs.protected_fifos = 2 /usr/lib/sysctl.d/protect-links.conf:fs.protected_fifos = 1 root@floyd:~# /sbin/sysctl --system * Applying /usr/lib/sysctl.d/10-test1.conf ... net.ipv6.neigh.default.base_reachable_time_ms = 20008 * Applying /usr/lib/sysctl.d/30-tracker.conf ... fs.inotify.max_user_watches = 65536 * Applying /usr/lib/sysctl.d/50-bubblewrap.conf ... kernel.unprivileged_userns_clone = 1 * Applying /usr/lib/sysctl.d/50-pid-max.conf ... kernel.pid_max = 4194304 * Applying /etc/sysctl.d/99-sysctl.conf ... net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 fs.protected_fifos = 2 * Applying /etc/sysctl.d/999-test1.conf ... ** Applying /usr/lib/sysctl.d/protect-links.conf *... *fs.protected_fifos = 1* fs.protected_hardlinks = 1 fs.protected_regular = 2 fs.protected_symlinks = 1 * *Applying /etc/sysctl.conf* ... net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 *fs.protected_fifos = 2* root@floyd:~# sysctl fs.protected_fifos f*s.protected_fifos = 2*
