[opensuse-factory] milestone 1 - was the default sysrq setting changed intentionally?
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled. -- Per Jessen, Zürich (14.1°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit :
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
It is coming from systemd upstream default: kernel.sysrq = 16 (ie SYNC only). If we (openSUSE) decide a different setting, we can change this in the default file in systemd. But I'd like a bug report, probably assigned to security team (since leaving sysrq opened can be seen as a security risk). -- Frederic Crozat <fcrozat@suse.com> SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Frederic Crozat wrote:
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit :
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
It is coming from systemd upstream default:
kernel.sysrq = 16 (ie SYNC only).
If we (openSUSE) decide a different setting, we can change this in the default file in systemd.
But I'd like a bug report, probably assigned to security team (since leaving sysrq opened can be seen as a security risk).
https://bugzilla.novell.com/show_bug.cgi?id=820443 I'm not sure which address to assign it to - security@suse.[de|com] didn't work. -- Per Jessen, Zürich (13.5°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, * Dne Pátek 17. květen 2013, 16:05:09 [CEST] Per Jessen napsal:
Frederic Crozat wrote:
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit :
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
It is coming from systemd upstream default:
kernel.sysrq = 16 (ie SYNC only).
If we (openSUSE) decide a different setting, we can change this in the default file in systemd.
But I'd like a bug report, probably assigned to security team (since leaving sysrq opened can be seen as a security risk).
https://bugzilla.novell.com/show_bug.cgi?id=820443
I'm not sure which address to assign it to - security@suse.[de|com] didn't work.
Use security-team@suse.de -- Vita Cizek
Am 17.05.2013 15:51, schrieb Frederic Crozat:
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit :
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
It is coming from systemd upstream default:
kernel.sysrq = 16 (ie SYNC only).
A totally useless and plain stupid default. Not that I would have expected anything else... :-P
If we (openSUSE) decide a different setting, we can change this in the default file in systemd.
But I'd like a bug report, probably assigned to security team (since leaving sysrq opened can be seen as a security risk).
Oh, the much bigger security risk is having SAK disabled. -- Stefan Seyfried "If your lighter runs out of fluid or flint and stops making fire, and you can't be bothered to figure out about lighter fluid or flint, that is not Zippo's fault." -- bkw -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 17.05.2013 15:51, schrieb Frederic Crozat:
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit :
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
It is coming from systemd upstream default:
kernel.sysrq = 16 (ie SYNC only).
If we (openSUSE) decide a different setting, we can change this in the default file in systemd.
The defaults we have since years are already in /lib/sysctl.d/sysctl.conf cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le mardi 21 mai 2013 à 14:57 +0200, Ludwig Nussel a écrit :
Am 17.05.2013 15:51, schrieb Frederic Crozat:
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit :
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
It is coming from systemd upstream default:
kernel.sysrq = 16 (ie SYNC only).
If we (openSUSE) decide a different setting, we can change this in the default file in systemd.
The defaults we have since years are already in /lib/sysctl.d/sysctl.conf
Are you fine if I merge this file content in the systemd default file ? -- Frederic Crozat <fcrozat@suse.com> SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 21.05.2013 15:33, schrieb Frederic Crozat:
Le mardi 21 mai 2013 à 14:57 +0200, Ludwig Nussel a écrit :
Am 17.05.2013 15:51, schrieb Frederic Crozat:
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit :
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
It is coming from systemd upstream default:
kernel.sysrq = 16 (ie SYNC only).
If we (openSUSE) decide a different setting, we can change this in the default file in systemd.
The defaults we have since years are already in /lib/sysctl.d/sysctl.conf
Are you fine if I merge this file content in the systemd default file ?
One the one hand it doesn't really matter where the file comes from. On the other hand what about just not packaging it in systemd? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le mardi 21 mai 2013 à 16:35 +0200, Ludwig Nussel a écrit :
Am 21.05.2013 15:33, schrieb Frederic Crozat:
Le mardi 21 mai 2013 à 14:57 +0200, Ludwig Nussel a écrit :
Am 17.05.2013 15:51, schrieb Frederic Crozat:
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit :
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
It is coming from systemd upstream default:
kernel.sysrq = 16 (ie SYNC only).
If we (openSUSE) decide a different setting, we can change this in the default file in systemd.
The defaults we have since years are already in /lib/sysctl.d/sysctl.conf
Are you fine if I merge this file content in the systemd default file ?
One the one hand it doesn't really matter where the file comes from. On the other hand what about just not packaging it in systemd?
I can make the "systemd" defaults empty if you prefer. I have no strong opinions here. -- Frederic Crozat <fcrozat@suse.com> SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 21.05.2013 16:43, schrieb Frederic Crozat:
Le mardi 21 mai 2013 à 16:35 +0200, Ludwig Nussel a écrit :
Am 21.05.2013 15:33, schrieb Frederic Crozat:
Le mardi 21 mai 2013 à 14:57 +0200, Ludwig Nussel a écrit :
Am 17.05.2013 15:51, schrieb Frederic Crozat:
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit :
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
It is coming from systemd upstream default:
kernel.sysrq = 16 (ie SYNC only).
If we (openSUSE) decide a different setting, we can change this in the default file in systemd.
The defaults we have since years are already in /lib/sysctl.d/sysctl.conf
Are you fine if I merge this file content in the systemd default file ?
One the one hand it doesn't really matter where the file comes from. On the other hand what about just not packaging it in systemd?
I can make the "systemd" defaults empty if you prefer. I have no strong opinions here.
Yes, I think we should do it that way and maybe move our defaults from procps to aaa_base. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le vendredi 24 mai 2013 à 10:46 +0200, Ludwig Nussel a écrit :
Am 21.05.2013 16:43, schrieb Frederic Crozat:
Le mardi 21 mai 2013 à 16:35 +0200, Ludwig Nussel a écrit :
Am 21.05.2013 15:33, schrieb Frederic Crozat:
Le mardi 21 mai 2013 à 14:57 +0200, Ludwig Nussel a écrit :
Am 17.05.2013 15:51, schrieb Frederic Crozat:
Le vendredi 17 mai 2013 à 15:41 +0200, Per Jessen a écrit : > When I tried Sysrq-B on a fresh M1 install, I was informed that the > sysrq function is disabled.
It is coming from systemd upstream default:
kernel.sysrq = 16 (ie SYNC only).
If we (openSUSE) decide a different setting, we can change this in the default file in systemd.
The defaults we have since years are already in /lib/sysctl.d/sysctl.conf
Are you fine if I merge this file content in the systemd default file ?
One the one hand it doesn't really matter where the file comes from. On the other hand what about just not packaging it in systemd?
I can make the "systemd" defaults empty if you prefer. I have no strong opinions here.
Yes, I think we should do it that way and maybe move our defaults from procps to aaa_base.
One remaining question is about hardlink protection (http://danwalsh.livejournal.com/64493.html ) which is enabled in systemd default sysctl. Should I keep it there until sysctl default are moved to aaa_base ? -- Frederic Crozat <fcrozat@suse.com> SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 24.05.2013 10:51, schrieb Frederic Crozat:
One remaining question is about hardlink protection (http://danwalsh.livejournal.com/64493.html ) which is enabled in systemd default sysctl. Should I keep it there until sysctl default are moved to aaa_base ?
IMHO this is a good and useful feature, but has absolutely nothing to do with systemd. The security team will surely find a place to put it :-) -- Stefan Seyfried "If your lighter runs out of fluid or flint and stops making fire, and you can't be bothered to figure out about lighter fluid or flint, that is not Zippo's fault." -- bkw -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 24/05/13 06:07, Stefan Seyfried escribió:
Am 24.05.2013 10:51, schrieb Frederic Crozat:
One remaining question is about hardlink protection (http://danwalsh.livejournal.com/64493.html ) which is enabled in systemd default sysctl. Should I keep it there until sysctl default are moved to aaa_base ?
IMHO this is a good and useful feature, but has absolutely nothing to do with systemd. The security team will surely find a place to put it :-)
Yes it is, but right from the start, the AT daemon needs fixing. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 17/05/13 09:41, Per Jessen escribió:
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
add kernel.sysrq = 1 in /etc/sysctl.conf , the sysadmin preferences take precedence over the defaults systemd offers. works for me. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Cristian Rodríguez wrote:
El 17/05/13 09:41, Per Jessen escribió:
When I tried Sysrq-B on a fresh M1 install, I was informed that the sysrq function is disabled.
add kernel.sysrq = 1 in /etc/sysctl.conf , the sysadmin preferences take precedence over the defaults systemd offers. works for me.
Thanks, I'm sure that'll do the trick. We ought to fix this though. -- Per Jessen, Zürich (14.5°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Cristian Rodríguez -
Frederic Crozat -
Ludwig Nussel -
Per Jessen -
Stefan Seyfried -
Vitezslav Cizek