An option to ignore sysctl CTLFLAG_ANYBODY
Alfonso Siciliano
alfix86 at gmail.com
Sat Jun 20 18:48:15 UTC 2020
On Thu, 18 Jun 2020 17:27:21 +0000
Teran McKinney <sega01 at go-beyond.org> wrote:
> Dear freebsd-hackers,
>
> I apologize if I am using the wrong list for this.
>
> I am wondering what the best way is to remove CTLFLAG_ANYBODY
> behavior on my systems. For my purposes, it's not desirable for any
> user to be able to adjust certain sysctls. I'd prefer root to be
> the only one able to adjust sysctl.
Hi Teran,
I had a look at kern_sysctl.c, you could recompile the kernel changing:
https://github.com/freebsd/freebsd/blob/master/sys/kern/kern_sysctl.c#L2122
from
/* Is this sysctl writable by only privileged users? */
if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) {
to
/* Is this sysctl writable? */
if (req->newptr) {
so, sysctl(3) has to call/check priv_check() every time you pass a new value.
> I generally don't know what I'm doing as it's my first time hacking
> on the FreeBSD kernel, or any kernel in general for that matter.
Another (silly :D) solution is a kernel module (nice for training):
it could explore the MIB to set CTLFLAG_ANYBODY to 0 for each object.
Happy Hacking,
Alfonso
---
Alfonso S. Siciliano
http://alfix.gitlab.io
More information about the freebsd-hackers
mailing list