securelevel and make installworld
Ronald Klop
ronald-freebsd8 at klop.yi.org
Wed Apr 20 14:56:21 PDT 2005
On Wed, 20 Apr 2005 16:28:06 -0500, Jon Noack <noackjr at alumni.rice.edu>
wrote:
> On 04/20/05 15:16, Ronald Klop wrote:
>> Can make installworld complain on startup if I try to run it with
>> securelevel > 0.
>> It will fail half way through on some files with nochg flags or
>> something like that.
>
> Design feature:
> 'schg' is the system immutable flag. Some system files are installed
> with 'schg' for security reasons; installworld must remove this flag in
> order to install a new version of these files. However, when
> securelevel > 0 system immutable flags may not be turned off (see
> init(8)). An attempt to remove the system immutable flag (set 'noschg')
> will therefore fail. As a result, installworld fails.
>
> Canonical answer:
> Reboot into single user mode to perform the installworld as documented
> in UPDATING and section 19.4.1 of the handbook.
I understand the problem, otherwise I wouldn't have securelevel > 0. Doing
a remote install in single user mode isn't always possible.
And than it isn't very nice to break the installworld with an error. Using
the idea of 'fail early' it would be very nice too have a check for
securelevel in the installworld Makefile.
Ronald.
--
Ronald Klop, Amsterdam, The Netherlands
More information about the freebsd-stable
mailing list