Hi Craig,
Craig Small (2021-02-15):
> Are you sure you are still seeing this in 3.3.17? The directory orders
> got changed around in that release so it might be fixed already.
>
> $ strace sysctl --system 2>&1 | egrep 'openat.*(etc|lib)/sys'
> [...]
>
> /etc/sysctl.conf is read after /usr/lib/sysctl.d/protect-links.conf
> That's what you wanted right?
>
> [...]
>
> root@floyd:~# /sbin/sysctl --system
> [...]
> ** Applying /usr/lib/sysctl.d/protect-links.conf *...
> *fs.protected_fifos = 1*
> fs.protected_hardlinks = 1
> fs.protected_regular = 2
> fs.protected_symlinks = 1
> * *Applying /etc/sysctl.conf* ...
> net.ipv6.conf.all.accept_redirects = 0
> net.ipv6.conf.default.accept_redirects = 0
> *fs.protected_fifos = 2*
>
> root@floyd:~# sysctl fs.protected_fifos
> f*s.protected_fifos = 2*
I confirm this problem does not happen when I use "sysctl --system".
However, this problem does happen with procps 2:3.3.17-4 after
a reboot (or more simply, after restarting procps.service).
My understanding is that when using systemd, what matters is what
systemd-sysctl does, not what "sysctl --system" does: procps.service
is a symlink to systemd-sysctl.service, which calls systemd-sysctl and
not "sysctl --service". So, in order to solve this bug on Debian
systems that use systemd, one needs to do either one of:
a) Modify the behavior of systemd-sysctl so it matches the current
behavior of "sysctl --system". I don't know how realistic this is.
b) Rename protect-links.conf as I suggested, so it integrates more
nicely with the configuration system it's de facto primarily meant
for nowadays.
Does this make sense?
Sorry if I totally misunderstood or missed something!
Cheers,
--
intrigeri
