Date: Fri, 05 Jun 2009 18:41:13 -0400 From: Lowell Gilbert <freebsd-stable-local@be-well.ilk.org> To: Bruce Cran <bruce@cran.org.uk> Cc: FLEURIOT Damien <ml@my.gd>, freebsd-stable@freebsd.org Subject: Re: make installworld and securelevel Message-ID: <44prdimhh2.fsf@lowell-desk.lan> In-Reply-To: <20090605233507.42ee1c96@gluon.draftnet> (Bruce Cran's message of "Fri\, 5 Jun 2009 23\:35\:07 %2B0100") References: <20090605154544.GA1855@sd-13813.dedibox.fr> <20090605233507.42ee1c96@gluon.draftnet>
index | next in thread | previous in thread | raw e-mail
Bruce Cran <bruce@cran.org.uk> writes: > On Fri, 5 Jun 2009 17:45:50 +0200 > FLEURIOT Damien <ml@my.gd> wrote: > >> >> Hello list, >> >> >> I apologize if this issue has been raised already but I couldn't >> find it anywhere. >> >> >> Find below a snip from my installworld: >> >> -------------------------------------------------------------- >> >>> Installing everything >> -------------------------------------------------------------- >> cd /usr/src; make -f Makefile.inc1 install >> ===> share/info (install) >> ===> lib (install) >> ===> lib/csu/i386-elf (install) >> install -o root -g wheel -m 444 crt1.o crti.o crtn.o gcrt1.o >> /usr/lib >> ===> lib/libc (install) >> install -C -o root -g wheel -m 444 libc.a /usr/lib >> install -C -o root -g wheel -m 444 libc_p.a /usr/lib >> install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib >> ^C >> >> >> My concern is with the last line which installs libc.so.7 and >> chflags it. >> >> I was running with securelevel 1 and got denied. >> I had to revert to the old kernel, change my securelevel, reinstall >> the new 7.2 kernel, then run my installworld. >> >> This hasn't caused me any other issue, but what will happen the day >> the libc.a or libc_p.a which are installed in the early steps of >> installworld become incompatible with the old kernel (if this is at >> all possible) ? >> >> I wouldn't have been able to boot anymore (this is a remote host). >> The server has a rescue system, but I think a lot of trouble could >> be saved by interrupting "make installworld" if we're running above >> securelevel 0. > > Although it's often safe to run installworld in multi user mode, it's > recommended to run it in single user mode to avoid issues like this. > From /usr/src/UPDATING: > > <make sure you have good level 0 dumps> > make buildworld > make kernel KERNCONF=YOUR_KERNEL_HERE > [1] > <reboot in single user> [3] > mergemaster -p [5] > make installworld > make delete-old > mergemaster [4] > <reboot> Still, I don't really see any obvious downsides to the suggestion. Maybe it could cause problems with jail updates? That's the only issue I've been able to think of...home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44prdimhh2.fsf>