Comment 9 for bug 256025

Revision history for this message
Kees Cook (kees) wrote : Re: [Bug 256025] Re: invoke-rc.d procps start loads /etc/syctl.d before /etc/sysctl.conf

On Mon, Aug 11, 2008 at 01:11:33PM +0100, Matt Zimmerman wrote:
> On Mon, Aug 11, 2008 at 11:35:38AM -0000, Scott Ritchie wrote:
> > Good point. /etc/sysctl.conf should remain the standard thing to edit
> > for overrides. That can be done after/at the same time as this patch
> > though.
> >
> > Making a new file and copying the current contents of our default
> > sysctl.conf to it should be fairly simple. All we need to do then is
> > put some comments into sysctl.conf saying where the new default settings
> > are and how to override them.
> >
> > Would you like to make the change or should I prepare another patch?
>
> I can't work on this right now but am happy to review. You might also try
> Kees, since I believe he added the defaults originally.

My intention after the procps merge was to move the ubuntu-specific
sysctl items into the .d directory. It is a correct design to have the
sysctl.conf be the global override location -- the bug here is that
anything is shipped in this file.

As for the wine/min_addr thing, I'm still not very happy with the
installation of wine disabling this default -- I would much rather
either wine fix this by catching segvs, or a command is created to
temporarily disable the setting. Making it an installed default weakens
security as a whole for the entire system.

--
Kees Cook
Ubuntu Security Team