aboutsummaryrefslogtreecommitdiffstats
path: root/package/base-files/files/etc/sysctl.conf
Commit message (Collapse)AuthorAgeFilesLines
* basefiles: allow suid coredumpsKevin Darbyshire-Bryant2017-09-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Set sysctl fs.suid_dumpable = 2 This allows suid processes to dump core according to kernel.core_pattern setting. LEDE typically uses suid to drop root priviledge rather than gain it but without this setting any suid process would be unable to produce coredumps (e.g. dnsmasq) Processes still need to set a non zero core file process limit ('ulimit -c unlimited' or if procd used 'procd_set_param limits core="unlimited"') in order to produce a core. This setting removes an obscure stumbling block along the way. >From https://www.kernel.org/doc/Documentation/sysctl/fs.txt suid_dumpable: This value can be used to query and set the core dump mode for setuid or otherwise protected/tainted binaries. The modes are 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped. 1 - (debug) - all processes dump core when possible. The core dump is owned by the current user and no security is applied. This is intended for system debugging situations only. Ptrace is unchecked. This is insecure as it allows regular users to examine the memory contents of privileged processes. 2 - (suidsafe) - any binary which normally would not be dumped is dumped anyway, but only if the "core_pattern" kernel sysctl is set to either a pipe handler or a fully qualified path. (For more details on this limitation, see CVE-2006-2451.) This mode is appropriate when administrators are attempting to debug problems in a normal environment, and either have a core dump pipe handler that knows to treat privileged core dumps with care, or specific directory defined for catching core dumps. If a core dump happens without a pipe handler or fully qualifid path, a message will be emitted to syslog warning about the lack of a correct setting. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* base-files: revert to default ECN settingsSteven Barth2015-10-071-1/+0
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 47160
* base-files: fix typo in core dump pattern sysctl entry (fixes #20489)Felix Fietkau2015-09-121-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 46890
* base-files: set kernel.core_pattern in sysctl.confFelix Fietkau2015-09-111-0/+2
| | | | | | | | | | Move the pattern setting from netifd's service script to /etc/sysctl.conf. Put the timestamp component '%t' just after executable name '%e' for more natural order from output of ls command. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> SVN-Revision: 46867
* kernel: remove the netfilter optimization that skips the filter table, it ↵Felix Fietkau2015-03-171-1/+0
| | | | | | | | has caused too many issues Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 44873
* base-files: increase igmp_max_memberships to improve multicast-proxy handlingSteven Barth2014-08-201-0/+1
| | | | SVN-Revision: 42227
* base-files: enable option to skip the netfilter "filter" table for ↵Felix Fietkau2014-08-071-0/+1
| | | | | | | | established connection packets by default Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 42048
* base-files: adjust the default netfilter tcp established connection timeout ↵Felix Fietkau2014-07-131-1/+1
| | | | | | | | as per RFC 5382 (#17098) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 41599
* base-files: set default IPv6 forwarding value to 1Steven Barth2013-06-111-2/+2
| | | | SVN-Revision: 36918
* base-files: Fix race-conditions with IPv6 sysctlsSteven Barth2013-01-291-1/+2
| | | | SVN-Revision: 35368
* base-files: remove IPv6-forwarding setting for all interfacesSteven Barth2013-01-281-1/+0
| | | | SVN-Revision: 35344
* base-files: Set default value for IPv6 forwardingSteven Barth2013-01-221-0/+1
| | | | SVN-Revision: 35299
* base-files: add support for ipv6-prefixes in connection with netifdSteven Barth2013-01-151-0/+2
| | | | SVN-Revision: 35168
* Remove default sysctl-entry for IPv6 here (races)Steven Barth2012-11-291-2/+0
| | | | SVN-Revision: 34417
* base-files: remove obsolete entries from sysctl.conf (#12236)Felix Fietkau2012-09-241-5/+0
| | | | SVN-Revision: 33532
* base-files: enable TCP timestamps, enable sack/dsack. (patch by Dave Täht)Felix Fietkau2012-06-271-1/+3
| | | | | | | | | | A year of testing in the cerowrt project shows not using timestamps to be a very bad idea in nearly any TCP at speeds above a few Mbit. Lastly sack/dsack help on recovery from larger amounts of packet loss. SVN-Revision: 32513
* base-files: enable conntrack accounting in sysctl. It used to be a compile ↵Jo-Philipp Wich2012-03-041-0/+1
| | | | | | time option which got deprecated SVN-Revision: 30805
* base-files: remove an old network tunable tweak which is messing up network ↵Felix Fietkau2011-08-291-1/+0
| | | | | | stack performance on modern systems SVN-Revision: 28126
* base-files: update sysctl.conf for modern kernelsJo-Philipp Wich2011-03-171-1/+7
| | | | SVN-Revision: 26204
* base-files: enable IPv6 forwarding by default since the default firewall ↵Jo-Philipp Wich2010-06-121-1/+1
| | | | | | supports ip6tables now SVN-Revision: 21766
* base-files: disable bridge firewalling by defaultJo-Philipp Wich2010-01-181-1/+6
| | | | SVN-Revision: 19214
* change sysctl.conf to disable tcp ecn by default (based on discussion with ↵Felix Fietkau2009-06-171-1/+1
| | | | | | marek who stumbled upon this, it creates hard-to-debug connectivity issues with providers/servers that still use buggy equipment) SVN-Revision: 16499
* tweak some sysctl values for better performanceFelix Fietkau2009-04-071-0/+3
| | | | SVN-Revision: 15129
* increase default size of the connection tracking table, thanks MarcFlorian Fainelli2009-01-301-0/+1
| | | | SVN-Revision: 14283
* disable ipv6 systcl call, as ipv6 is not enabled by defaultNicolas Thill2008-08-201-4/+4
| | | | SVN-Revision: 12351
* enable TCP ECN by default (see #3001 for more information)Felix Fietkau2008-08-171-0/+1
| | | | SVN-Revision: 12334
* Enable IPv6 forwarding by default (#2527)Florian Fainelli2007-10-241-0/+1
| | | | SVN-Revision: 9435
* unify sysctl.conf, add extra netfilter options (#1996)Felix Fietkau2007-06-301-0/+13
| | | | SVN-Revision: 7784
* use separate sysctl.conf files for 2.4 and 2.6 - fixes some boot message spamFelix Fietkau2007-04-241-12/+0
| | | | SVN-Revision: 7043
* rename default/ to files/Felix Fietkau2006-11-221-0/+12
SVN-Revision: 5622