An option to ignore sysctl CTLFLAG_ANYBODY

Alfonso Siciliano alfix86 at
Sat Jun 20 18:48:15 UTC 2020

On Thu, 18 Jun 2020 17:27:21 +0000
Teran McKinney <sega01 at> wrote:

> Dear freebsd-hackers,
> I apologize if I am using the wrong list for this.
> I am wondering what the best way is to remove CTLFLAG_ANYBODY
> behavior on my systems. For my purposes, it's not desirable for any
> user to be able to adjust certain sysctls. I'd prefer root to be
> the only one able to adjust sysctl.

Hi Teran,

I had a look at kern_sysctl.c, you could recompile the kernel changing:

	/* Is this sysctl writable by only privileged users? */
	if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) {
	/* Is this sysctl writable? */
	if (req->newptr) {

so, sysctl(3) has to call/check priv_check() every time you pass a new value.

> I generally don't know what I'm doing as it's my first time hacking
> on the FreeBSD kernel, or any kernel in general for that matter.

Another (silly :D) solution is a kernel module (nice for training):
it could explore the MIB to set CTLFLAG_ANYBODY to 0 for each object.

Happy Hacking,


Alfonso S. Siciliano

More information about the freebsd-hackers mailing list