Date: Fri, 05 Jun 2009 18:41:13 -0400 From: Lowell Gilbert <freebsd-stable-local@be-well.ilk.org> To: Bruce Cran <bruce@cran.org.uk> Cc: FLEURIOT Damien <ml@my.gd>, freebsd-stable@freebsd.org Subject: Re: make installworld and securelevel Message-ID: <44prdimhh2.fsf@lowell-desk.lan> In-Reply-To: <20090605233507.42ee1c96@gluon.draftnet> (Bruce Cran's message of "Fri\, 5 Jun 2009 23\:35\:07 %2B0100") References: <20090605154544.GA1855@sd-13813.dedibox.fr> <20090605233507.42ee1c96@gluon.draftnet>
next in thread | previous in thread | raw e-mail | index | archive | help
Bruce Cran <bruce@cran.org.uk> writes: > On Fri, 5 Jun 2009 17:45:50 +0200 > FLEURIOT Damien <ml@my.gd> wrote: > >> >> Hello list, >> >> >> I apologize if this issue has been raised already but I couldn't >> find it anywhere. >> >> >> Find below a snip from my installworld: >> >> -------------------------------------------------------------- >> >>> Installing everything >> -------------------------------------------------------------- >> cd /usr/src; make -f Makefile.inc1 install >> ===> share/info (install) >> ===> lib (install) >> ===> lib/csu/i386-elf (install) >> install -o root -g wheel -m 444 crt1.o crti.o crtn.o gcrt1.o >> /usr/lib >> ===> lib/libc (install) >> install -C -o root -g wheel -m 444 libc.a /usr/lib >> install -C -o root -g wheel -m 444 libc_p.a /usr/lib >> install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib >> ^C >> >> >> My concern is with the last line which installs libc.so.7 and >> chflags it. >> >> I was running with securelevel 1 and got denied. >> I had to revert to the old kernel, change my securelevel, reinstall >> the new 7.2 kernel, then run my installworld. >> >> This hasn't caused me any other issue, but what will happen the day >> the libc.a or libc_p.a which are installed in the early steps of >> installworld become incompatible with the old kernel (if this is at >> all possible) ? >> >> I wouldn't have been able to boot anymore (this is a remote host). >> The server has a rescue system, but I think a lot of trouble could >> be saved by interrupting "make installworld" if we're running above >> securelevel 0. > > Although it's often safe to run installworld in multi user mode, it's > recommended to run it in single user mode to avoid issues like this. > From /usr/src/UPDATING: > > <make sure you have good level 0 dumps> > make buildworld > make kernel KERNCONF=YOUR_KERNEL_HERE > [1] > <reboot in single user> [3] > mergemaster -p [5] > make installworld > make delete-old > mergemaster [4] > <reboot> Still, I don't really see any obvious downsides to the suggestion. Maybe it could cause problems with jail updates? That's the only issue I've been able to think of...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44prdimhh2.fsf>