Ubuntu

invoke-rc.d procps start loads /etc/syctl.d before /etc/sysctl.conf

Reported by Scott Ritchie on 2008-08-08
16
Affects Status Importance Assigned to Milestone
procps (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: procps

The newer procps allows for individual overrides to sysctl. The latest Wine package needs one of these, creating a file at /etc/sysctl.d/wine.sysctl.conf containing an override entry for vm.mmap_min_addr. Wine needs this at 0, the system default is at 65536.

The problem, however, is that this file is essentially ignored since invoke-rc.d procps start will load the custom files in /etc/sysctl.d/ BEFORE loading /etc/sysctl.conf, thus causing the setting for Wine to be overridden by the system default rather than the other way around.

Scott Ritchie (scottritchie) wrote :

Setting importance to medium as it blocks medium bugs (eg: https://bugs.edge.launchpad.net/ubuntu/+source/wine/+bug/114025)

Changed in procps:
importance: Undecided → Medium
Scott Ritchie (scottritchie) wrote :

The attached patch fixes the issue quite simply. Please commit and upload :)

Changed in procps:
status: New → Triaged
Scott Ritchie (scottritchie) wrote :

The Debian maintainer has confirmed that the same change will happen in Debian, so we won't be behaving differently from Lenny in this case.

Matt Zimmerman (mdz) wrote :

Are you sure this is the best fix? The idea of package defaults overriding sysadmin-specified settings makes me nervous.

Scott Ritchie (scottritchie) wrote :

Without this, there's no way to have package defaults override unmodified system defaults; the sysctl.d folder becomes essentially useless.

Perhaps a more complete fix is to make it clear that manual settings should be done somewhere other than sysctl.conf when the same setting is modified by something in sysctl.d. A sysadmin using a file like /etc/sysctl.d/zzz.sysctl.conf would guarantee that his override comes after packages. A simple comment explaining this at the top of /etc/sysctl.conf might help here.

On Mon, Aug 11, 2008 at 09:32:12AM -0000, Scott Ritchie wrote:
> Without this, there's no way to have package defaults override
> unmodified system defaults; the sysctl.d folder becomes essentially
> useless.
>
>
> Perhaps a more complete fix is to make it clear that manual settings should be done somewhere other than sysctl.conf when the same setting is modified by something in sysctl.d. A sysadmin using a file like /etc/sysctl.d/zzz.sysctl.conf would guarantee that his override comes after packages. A simple comment explaining this at the top of /etc/sysctl.conf might help here.

Simpler would be to add Ubuntu defaults in /etc/sysctl.d/00-ubuntu.conf or
similar instead of /etc/sysctl.conf. Then, this could be overrided in
obvious ways both by system administrators (/etc/sysctl.conf) and by
packages (/etc/sysctl.d).

--
 - mdz

Scott Ritchie (scottritchie) wrote :

Good point. /etc/sysctl.conf should remain the standard thing to edit for overrides. That can be done after/at the same time as this patch though.

Making a new file and copying the current contents of our default sysctl.conf to it should be fairly simple. All we need to do then is put some comments into sysctl.conf saying where the new default settings are and how to override them.

Would you like to make the change or should I prepare another patch?

Matt Zimmerman (mdz) wrote :

On Mon, Aug 11, 2008 at 11:35:38AM -0000, Scott Ritchie wrote:
> Good point. /etc/sysctl.conf should remain the standard thing to edit
> for overrides. That can be done after/at the same time as this patch
> though.
>
> Making a new file and copying the current contents of our default
> sysctl.conf to it should be fairly simple. All we need to do then is
> put some comments into sysctl.conf saying where the new default settings
> are and how to override them.
>
> Would you like to make the change or should I prepare another patch?

I can't work on this right now but am happy to review. You might also try
Kees, since I believe he added the defaults originally.

--
 - mdz

Kees Cook (kees) wrote :

On Mon, Aug 11, 2008 at 01:11:33PM +0100, Matt Zimmerman wrote:
> On Mon, Aug 11, 2008 at 11:35:38AM -0000, Scott Ritchie wrote:
> > Good point. /etc/sysctl.conf should remain the standard thing to edit
> > for overrides. That can be done after/at the same time as this patch
> > though.
> >
> > Making a new file and copying the current contents of our default
> > sysctl.conf to it should be fairly simple. All we need to do then is
> > put some comments into sysctl.conf saying where the new default settings
> > are and how to override them.
> >
> > Would you like to make the change or should I prepare another patch?
>
> I can't work on this right now but am happy to review. You might also try
> Kees, since I believe he added the defaults originally.

My intention after the procps merge was to move the ubuntu-specific
sysctl items into the .d directory. It is a correct design to have the
sysctl.conf be the global override location -- the bug here is that
anything is shipped in this file.

As for the wine/min_addr thing, I'm still not very happy with the
installation of wine disabling this default -- I would much rather
either wine fix this by catching segvs, or a command is created to
temporarily disable the setting. Making it an installed default weakens
security as a whole for the entire system.

--
Kees Cook
Ubuntu Security Team

Matt LaPlante (cybrmatt) wrote :

I'm partially confused by this bug. I wound up here in the process of filing Bug #292470. It's my observation that in Intrepid final, procps sources /etc/sysctl.conf *first*, which means it is being overridden by /etc/sysctl.d. This is the behavior desired by the requester of this bug, but the bug is not marked Fixed.

With that said, I agree with the latter posters here that sysctl.conf should be processed last, giving it the override, and that Ubuntu default configs should be moved to sysctl.d. I disagree with the initial request in this bug to make sysctl.d authoritative (Even though it currently is. Even though this bug is open and the README is wrong).

Scott Ritchie (scottritchie) wrote :

Things are as they should be in Intrepid - /etc/sysctl.conf is now a bunch of (commented out) commands for overriding the defaults, and the system defaults are in names like /etc/sysctl.d/10-*.conf. This allows Wine to come "after" them by using just /etc/sysctl.d/wine.conf

Changed in procps:
status: Triaged → Fix Released
Dan Kegel (dank) wrote :

I've updated http://wiki.winehq.org/PreloaderPageZeroProblem to reflect the new workaround.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers