Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 21 Sep 2008 17:13:58 -0700
From:      Jeremy Chadwick <koitsu@FreeBSD.org>
To:        "Jason C. Wells" <jcw@highperformance.net>
Cc:        freebsd-stable <freebsd-stable@freebsd.org>
Subject:   Re: Install -S Not Safe was: Re: Installworld deletes libc
Message-ID:  <20080922001358.GB12112@icarus.home.lan>
In-Reply-To: <48D6D379.10909@highperformance.net>
References:  <48D68FD6.50804@highperformance.net> <20080921215113.GB9494@icarus.home.lan> <48D6C995.7060606@highperformance.net> <48D6CAAE.9060303@highperformance.net> <48D6D379.10909@highperformance.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Sep 21, 2008 at 04:06:33PM -0700, Jason C. Wells wrote:
> Jason C. Wells wrote:
>> Jason C. Wells wrote:
>
>> I should add that 'systcl security.jail.chflags_allowed=1' allowed  
>> installworld to proceed without error. That solves my immediate 
>> problem.  There appears to be a bug in the security mechanism.
>
> The reason there appeared to be a bug in the security mechanism is that  
> I performed (IIRC) chflags -noschg on libc as root on the host system  
> outside the jail.
>
> But for some reason 'install -S' was not safe.
>
> (outside the jail)
> ~$ chflags noschg /usr/jails/cr/lib/libc.so.6
>
> (inside the jail)
> [root@s4cr /usr/src/lib/libc]# ls -lao /lib/libc.so.6
> -rwxr-xr-x  1 root  wheel  - 981331 Sep 21 15:57 /lib/libc.so.6
>
> [root@s4cr /usr/src/lib/libc]# sysctl -a | grep secur
> kern.securelevel: -1
> security.jail.chflags_allowed: 0
>
> [root@s4cr /usr/src/lib/libc]#   make install
> install -C -o root -g wheel -m 444   libc.a /usr/lib
> install -C -o root -g wheel -m 444   libc_p.a /usr/lib
> install -s -o root -g wheel -m 444   -fschg -S  libc.so.6 /lib
> install: /lib/libc.so.6: chflags: Operation not permitted
> *** Error code 71
>
> Stop in /usr/src/lib/libc.
>
> [root@s4cr /usr/src/lib/libc]# ls -lao /lib/libc.so.6
> /libexec/ld-elf.so.1: Shared object "libc.so.6" not found, required by "ls"
> [root@s4cr /usr/src/lib/libc]#

Please file a PR on this matter.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080922001358.GB12112>