diff --git a/common/hooks/pre-pkg/99-pkglint.sh b/common/hooks/pre-pkg/99-pkglint.sh
index ada06c485ea..330df6d2454 100644
--- a/common/hooks/pre-pkg/99-pkglint.sh
+++ b/common/hooks/pre-pkg/99-pkglint.sh
@@ -83,12 +83,17 @@ hook() {
 
 	# Prevent packages from installing to these paths in etc, they should use
 	# their equivalent in usr/lib
-	for f in udev/{rules.d,hwdb.d} modprobe.d sysctl.d; do
-		if [ -d ${PKGDESTDIR}/etc/${f} ]; then
-			msg_red "${pkgver}: /etc/${f} is forbidden. Use /usr/lib/${f}.\n"
-			error=1
-		fi
-	done
+	#
+	# But base-files is a special case, since it may contains suggested but
+	# still user-alterable default files (particularly sysctl.d)
+	if [ "${pkgname}" != "base-files" ]; then
+		for f in udev/{rules.d,hwdb.d} modprobe.d sysctl.d; do
+			if [ -d ${PKGDESTDIR}/etc/${f} ]; then
+				msg_red "${pkgver}: /etc/${f} is forbidden. Use /usr/lib/${f}.\n"
+				error=1
+			fi
+		done
+	fi
 
 	# Likewise with the comment above but for usr/share
 	for f in X11/xorg.conf.d gconf/schemas; do
diff --git a/srcpkgs/base-files/files/sysctl-user.conf b/srcpkgs/base-files/files/sysctl-user.conf
new file mode 100644
index 00000000000..4fff32d3ce2
--- /dev/null
+++ b/srcpkgs/base-files/files/sysctl-user.conf
@@ -0,0 +1,13 @@
+# These are some recommended defaults that users can alter if needed.
+# For example, developer systems may want to enable kexec for kernel
+# testing, or disable the ptrace restrictions to be able to gdb attach
+# to processes without root.
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict=1
+
+# Turn off kexec, even if it's built in.
+kernel.kexec_load_disabled=1
+
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope=1
diff --git a/srcpkgs/base-files/files/sysctl.conf b/srcpkgs/base-files/files/sysctl.conf
index 540bffbef9e..56b7579f530 100644
--- a/srcpkgs/base-files/files/sysctl.conf
+++ b/srcpkgs/base-files/files/sysctl.conf
@@ -1,3 +1,8 @@
+# These are hardening options that users should typically not be altering.
+# This file is not tracked as a configuration file, so any changes in it
+# will get overwritten with updates. Void systems also by default install
+# certain hardening options that may be altered, in /etc/sysctl.d.
+
 # Append the PID to the core filename
 kernel.core_uses_pid = 1
 
@@ -8,14 +13,5 @@ fs.protected_symlinks=1
 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
 kernel.kptr_restrict=1
 
-# Avoid kernel memory address exposures via dmesg.
-kernel.dmesg_restrict=1
-
 # Block non-uid-0 kernel profiling
 kernel.perf_event_paranoid=2
-
-# Turn off kexec, even if it's built in.
-kernel.kexec_load_disabled=1
-
-# Avoid non-ancestor ptrace access to running processes and their credentials.
-kernel.yama.ptrace_scope=1
diff --git a/srcpkgs/base-files/template b/srcpkgs/base-files/template
index 8040a801110..d887d5c9620 100644
--- a/srcpkgs/base-files/template
+++ b/srcpkgs/base-files/template
@@ -1,7 +1,7 @@
 # Template file for 'base-files'
 pkgname=base-files
 version=0.141
-revision=7
+revision=8
 bootstrap=yes
 depends="xbps-triggers"
 short_desc="Void Linux base system files"
@@ -18,6 +18,7 @@ conf_files="
 	/etc/skel/.bash_logout
 	/etc/skel/.bashrc
 	/etc/skel/.inputrc
+	/etc/sysctl.d/10-void.conf
 	/etc/subuid
 	/etc/subgid
 	/etc/issue
@@ -74,6 +75,7 @@ do_install() {
 	vinstall ${FILESDIR}/blacklist.conf 644 usr/lib/modprobe.d
 	# sysctl(8) files
 	vinstall ${FILESDIR}/sysctl.conf 644 usr/lib/sysctl.d 10-void.conf
+	vinstall ${FILESDIR}/sysctl-user.conf 644 etc/sysctl.d 10-void.conf
 
 	# Install common licenses, from Debian.
 	vmkdir usr/share/licenses