On Tue, 2009-08-25 at 15:04 +1000, Craig Small wrote: > On Fri, Aug 14, 2009 at 12:04:55AM +0200, Christoph Anton Mitterer wrote: > > The issue that sysctl MUST be loaded BEFORE network interfaces are > > brought up (for security reasons).... is this secured by the LSB > > init script headers? > You're saying it should be done before the interfaces are brought up, > but the bug report is about sysctl running too early. Yes,... after the modules (such that the /proc entries are actually there),.. but before the interfaces (such that no network is open, while potential security important options are not yet set).
> > I mean now that insserv and concurrent booting moves to be the > > default... it's quite important to secure this, IMHO. > The problem is you are trying to satisfy two mutually exclusive > requirements. No matter where sysctl is run, it is too early or two > late for something. > > Now with insserv, perhaps there is a place it can be run, before the > interfaces are configured but after the module is loaded, if such a > place exists. That's the thing I was asking for :) But the problem is (AFAIK) that with LSB dependencies one can only specify depends and not kind of reverse depends. Chris.
smime.p7s
Description: S/MIME cryptographic signature
