Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 5 Jun 2009 23:35:07 +0100
From:      Bruce Cran <bruce@cran.org.uk>
To:        FLEURIOT Damien <ml@my.gd>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: make installworld and securelevel
Message-ID:  <20090605233507.42ee1c96@gluon.draftnet>
In-Reply-To: <20090605154544.GA1855@sd-13813.dedibox.fr>
References:  <20090605154544.GA1855@sd-13813.dedibox.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 5 Jun 2009 17:45:50 +0200
FLEURIOT Damien <ml@my.gd> wrote:

>=20
> Hello list,
>=20
>=20
> I apologize if this issue has been raised already but I couldn't
> find it anywhere.
>=20
>=20
> Find below a snip from my installworld:
>=20
> --------------------------------------------------------------
> >>> Installing everything
> --------------------------------------------------------------
> cd /usr/src; make -f Makefile.inc1 install
> =3D=3D=3D> share/info (install)
> =3D=3D=3D> lib (install)
> =3D=3D=3D> lib/csu/i386-elf (install)
> install -o root -g wheel  -m 444 crt1.o crti.o crtn.o gcrt1.o
> /usr/lib
> =3D=3D=3D> lib/libc (install)
> install -C -o root -g wheel -m 444   libc.a /usr/lib
> install -C -o root -g wheel -m 444   libc_p.a /usr/lib
> install -s -o root -g wheel -m 444   -fschg -S  libc.so.7 /lib
> ^C
>=20
>=20
> My concern is with the last line which installs libc.so.7 and
> chflags it.
>=20
> I was running with securelevel 1 and got denied.
> I had to revert to the old kernel, change my securelevel, reinstall
> the new 7.2 kernel, then run my installworld.
>=20
> This hasn't caused me any other issue, but what will happen the day
> the libc.a or libc_p.a which are installed in the early steps of
> installworld become incompatible with the old kernel (if this is at
> all possible) ?
>=20
> I wouldn't have been able to boot anymore (this is a remote host).
> The server has a rescue system, but I think a lot of trouble could
> be saved by interrupting "make installworld" if we're running above
> securelevel 0.

Although it's often safe to run installworld in multi user mode, it's
recommended to run it in single user mode to avoid issues like this.
=46rom /usr/src/UPDATING:

<make sure you have good level 0 dumps>
        make buildworld
        make kernel KERNCONF=3DYOUR_KERNEL_HERE
                                                        [1]
        <reboot in single user>                         [3]
        mergemaster -p                                  [5]
        make installworld
        make delete-old
        mergemaster                                     [4]
        <reboot>

--=20
Bruce Cran

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090605233507.42ee1c96>