Date: Fri, 5 Jun 2009 23:35:07 +0100 From: Bruce Cran <bruce@cran.org.uk> To: FLEURIOT Damien <ml@my.gd> Cc: freebsd-stable@freebsd.org Subject: Re: make installworld and securelevel Message-ID: <20090605233507.42ee1c96@gluon.draftnet> In-Reply-To: <20090605154544.GA1855@sd-13813.dedibox.fr> References: <20090605154544.GA1855@sd-13813.dedibox.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 5 Jun 2009 17:45:50 +0200 FLEURIOT Damien <ml@my.gd> wrote: >=20 > Hello list, >=20 >=20 > I apologize if this issue has been raised already but I couldn't > find it anywhere. >=20 >=20 > Find below a snip from my installworld: >=20 > -------------------------------------------------------------- > >>> Installing everything > -------------------------------------------------------------- > cd /usr/src; make -f Makefile.inc1 install > =3D=3D=3D> share/info (install) > =3D=3D=3D> lib (install) > =3D=3D=3D> lib/csu/i386-elf (install) > install -o root -g wheel -m 444 crt1.o crti.o crtn.o gcrt1.o > /usr/lib > =3D=3D=3D> lib/libc (install) > install -C -o root -g wheel -m 444 libc.a /usr/lib > install -C -o root -g wheel -m 444 libc_p.a /usr/lib > install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib > ^C >=20 >=20 > My concern is with the last line which installs libc.so.7 and > chflags it. >=20 > I was running with securelevel 1 and got denied. > I had to revert to the old kernel, change my securelevel, reinstall > the new 7.2 kernel, then run my installworld. >=20 > This hasn't caused me any other issue, but what will happen the day > the libc.a or libc_p.a which are installed in the early steps of > installworld become incompatible with the old kernel (if this is at > all possible) ? >=20 > I wouldn't have been able to boot anymore (this is a remote host). > The server has a rescue system, but I think a lot of trouble could > be saved by interrupting "make installworld" if we're running above > securelevel 0. Although it's often safe to run installworld in multi user mode, it's recommended to run it in single user mode to avoid issues like this. =46rom /usr/src/UPDATING: <make sure you have good level 0 dumps> make buildworld make kernel KERNCONF=3DYOUR_KERNEL_HERE [1] <reboot in single user> [3] mergemaster -p [5] make installworld make delete-old mergemaster [4] <reboot> --=20 Bruce Cran
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090605233507.42ee1c96>