[systemd-devel] [PATCH] Split sysctl 50-default.conf setting file

[Zbigniew Jędrzejewski-Szmek]

On Mon, Dec 02, 2013 at 10:27:45PM +0100, Goffredo Baroncelli wrote:
> On 2013-12-02 21:38, Zbigniew Jędrzejewski-Szmek wrote:
> > On Mon, Dec 02, 2013 at 09:15:37PM +0100, Goffredo Baroncelli wrote:
> >> Hi all,
> >>
> >> currently systemd contains a sysctl default setting in a file called
> >>         50-default.conf
> >> The aim of this patch is to split the content of the sysctl setting in
> >> more files to allow a more selective override.
> > Hi Goffredo,
> > I think that the misunderstading is that you *can* override invidual
> > settings. If you provide a file with a name higher in order, containing
> > just sysctl.sysrq override, just this setting will be overriden.
> 
> Yes am doing so. But IIRC the process order of the sysctl file was
> inverted near systemd 207...
> 
> Because Debian uses 204, when it switches to something more recent than
> 207 this setup will not work any more :-( so I have to change the order
> number.
Yes, that unfortunate :), but easy to work around: just install the file
with a high number, and symlink with a low number. The symlink can be removed
after update to 208.

> Anyway I think that it is more clean to separate the setting in more files.
This would make the number of files equal to the number of settings we are
changing, which would be messy.

> > BTW, Kay, why is the default so conservative here (sysrq only)?
> > I would think that the general principle that the user who has physical
> > access to the machine and can flip the power switch should be able to
> > do various things which are disruptive, but not are not proviledge
> > escalation (let's call them reboot-like).
> 
> I agree with you
Kay explained in IRC that we do not allow such actions, because access to
the keyboad doesn't mean full access to the machine, and we default to safe
settings. Allowing the reboot though logind is different, because the user
must authenticate first to open a session.

Zbyszek