I've analyzed the situation on Jammy, Impish and Focal and got the
following result:
Jammy+Impish:
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.rp_filter = 2
=> shadowed but equal value
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.rp_filter = 2
=> shadows default.rp_filter & all.rp_filter (equal value)
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.rp_filter
/usr/lib/sysctl.d/50-default.conf:kernel.sysrq = 16
Focal (shadowed, but equal value):
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
So the critical ones seem to be kernel.sysrq = 16 and the removal of
-net.ipv4.conf.all.rp_filter
Settings shipped by procps:
Jammy:
root@jj:~# grep -v '^\s*$\|^\s*\#' -R /etc/sysctl.* # (excluding README.sysctl)
/etc/sysctl.d/10-zeropage.conf:vm.mmap_min_addr = 65536
/etc/sysctl.d/10-network-security.conf:net.ipv4.conf.default.rp_filter=2
/etc/sysctl.d/10-network-security.conf:net.ipv4.conf.all.rp_filter=2
/etc/sysctl.d/10-kernel-hardening.conf:kernel.kptr_restrict = 1
/etc/sysctl.d/99-cloudimg-ipv6.conf:net.ipv6.conf.all.use_tempaddr = 0
/etc/sysctl.d/99-cloudimg-ipv6.conf:net.ipv6.conf.default.use_tempaddr = 0
/etc/sysctl.d/10-ptrace.conf:kernel.yama.ptrace_scope = 1
/etc/sysctl.d/10-console-messages.conf:kernel.printk = 4 4 1 7
/etc/sysctl.d/10-ipv6-privacy.conf:net.ipv6.conf.all.use_tempaddr = 2
/etc/sysctl.d/10-ipv6-privacy.conf:net.ipv6.conf.default.use_tempaddr = 2
/etc/sysctl.d/10-magic-sysrq.conf:kernel.sysrq = 176
Impish:
- same as Jammy
Focal:
- same as Jammy, plus:
/etc/sysctl.d/10-link-restrictions.conf:fs.protected_hardlinks = 1
/etc/sysctl.d/10-link-restrictions.conf:fs.protected_symlinks = 1
Settings shipped by systemd:
Jammy:
root@jj:~# grep -v '^\s*$\|^\s*\#' -R /usr/lib/sysctl*
/usr/lib/sysctl.d/50-default.conf:kernel.sysrq = 16
/usr/lib/sysctl.d/50-default.conf:kernel.core_uses_pid = 1
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.rp_filter = 2
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.rp_filter = 2
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.rp_filter
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.accept_source_route = 0
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.accept_source_route = 0
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.accept_source_route
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.promote_secondaries = 1
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.promote_secondaries = 1
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.promote_secondaries
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.ping_group_range = 0 2147483647
/usr/lib/sysctl.d/50-default.conf:-net.core.default_qdisc = fq_codel
/usr/lib/sysctl.d/50-default.conf:fs.protected_hardlinks = 1
/usr/lib/sysctl.d/50-default.conf:fs.protected_symlinks = 1
/usr/lib/sysctl.d/50-default.conf:fs.protected_regular = 1
/usr/lib/sysctl.d/50-default.conf:fs.protected_fifos = 1
/usr/lib/sysctl.d/50-pid-max.conf:kernel.pid_max = 4194304
Impish:
- same as Jammy
Focal:
root@ff:~# grep -v '^\s*$\|^\s*\#' -R /usr/lib/sysctl*
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.promote_secondaries = 1
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.promote_secondaries = 1
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.promote_secondaries
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.ping_group_range = 0 2147483647
/usr/lib/sysctl.d/50-default.conf:net.core.default_qdisc = fq_codel
/usr/lib/sysctl.d/50-default.conf:fs.protected_regular = 1
/usr/lib/sysctl.d/50-default.conf:fs.protected_fifos = 1
/usr/lib/sysctl.d/50-pid-max.conf:kernel.pid_max = 4194304
/usr/lib/sysctl.d/protect-links.conf:fs.protected_fifos = 1
/usr/lib/sysctl.d/protect-links.conf:fs.protected_hardlinks = 1
/usr/lib/sysctl.d/protect-links.conf:fs.protected_regular = 2
/usr/lib/sysctl.d/protect-links.conf:fs.protected_symlinks = 1
=> Focal changes:
fs.protected_regular = 2
net.core.default_qdisc = fq_codel
** Changed in: systemd (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1962038
Title:
wrong sysrq value in /usr/lib/sysctl.d/50-default.conf
Status in systemd package in Ubuntu:
Triaged
Bug description:
I've just learned that systemd is setting kernel.sysrq to 16 in
/usr/lib/sysctl.d/50-default.conf. This is inconsistent with
/etc/sysctl.d/10-magic-sysrq.conf which intentionally sets it to 176
by default. systemd should drop its setting to defer to the file that
we have been carrying in procps for a very long time.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1962038/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
