# How can I do a sanity check on /etc/sysctl.conf after making changes to it?



## hxfischer (Sep 16, 2019)

I have put these two intentionally incorrect lines in my /etc/sysctl.conf:
fakevar=1
security.bsd.see_other_uids=badvalue

Then as root, I run "/etc/rc.d/sysctl reload" and I get the output:
sysctl: unknown oid 'fakevar' at line 1
sysctl: invalid integer 'badvalue' at line 2

This is exactly the kind of output I need, but I want to run the sanity test _before_ reloading or restarting sysctl. The method I use above does both things at once. I also don't care for the fact the exit code of this "command" is 0 no matter what (the "program" exits with success whether or not errors are encountered).

As an aside, is it bad practice to reload or restart sysctl (using the command above or "service sysctl restart") instead of just restarting the system?


----------



## ralphbsz (Sep 16, 2019)

Ultimately, the sysctl service (the script /etc/rc.d/sysctl) just runs the sysctl(8) executable from /sbin/sysctl. I quickly peeked at the man page, and it doesn't seem to have a "pretend only" or "syntax-check the input" mode. 

For the first part of your request, that could be very easily mocked up with a simple script: Use "sysctl -N -a -o" to get a list of all settable oids (names), then check whether all oids in /etc/sysctl.conf show up in that list. Give me half an hour and awk (and a few glasses of wine or a good beer), and I'll do it ... except that I have too many other things to do. 
The second part of the query (check that values are valid) is harder.  You can use "sysctl -t ..." to get a list of the types for all oids. For the ones that are numeric, syntax- and range-checking is tedious but doable. Where it gets impossible is checking string and opaque values. I don't see a way to check those, other than by trial and error. Fortunately, there are not very many settable string and opaque values.
Finally, the fact that the sysctl service script (which you run when you say "service sysctl reload") doesn't return a non-zero exit code even makes sense. For the most part, the reload succeeded. If you run the raw /sbin/sysctl executable, it will have exit code 1 for invalid names.


----------



## rigoletto@ (Sep 16, 2019)

Not really related but you may want to have a look on these: PR 240390, PR 240391, PR 240575,


----------

