building with "CLANG"
Isaac (.ike) Levy
ike at blackskyresearch.net
Tue Jan 15 05:03:12 UTC 2013
Hi Guys,
I can't bring myself to top-post on a BSD list,
And I'm in a particularly verbose mood as I debug an unrelated nasty mess,
On Jan 14, 2013, at 9:30 PM, other at ahhyes.net wrote:
>
>
> Hi Alexus,
>
> I could, but it's going to be time consuming. There is
> almost no clues (even with a google search) on what this option does. I
> am waiting to know if I can safely keep going the way I am and not have
> any serious problems. I updated the base OS ok, I just reinstalled world
> for one of my jails and ran mergemaster also to update it. Didn't have
> any major issues however I noticed the NO_FSCHG= business in the
> article.
>
> Would be nice if someone could document what the hell
> NO_FSCHG= does..
>
In-deed!
--
Deal is, after groking some source, I *believe* this signals clang not to set particular files with the immutable 'schg' flag when installing world to your $DESTDIR.
Please try following up with the page author.
(Perhaps jump in the Clang IRC channel listed on the page, and try to ask the wiki page author?)
--
If I am correct:
I've not been down the clang jails path yet, (exciting!), but I'm assuming this is a new convenience feature tossed in, with interesting ramifications…
The old days with jail:
/rm -rf /path/to/jail/dir
- This would fail without first recursively un-setting the schg immutable flags on files in the filesystem.
(UNIX newbs hit list, make new friends, and learn the power of chflags(1))
So, NO_FSCHG is either extremely convenient, or extremely dangerous- depending on what kind of packets reach your jailed interface…
Why does this matter with jail(8)?
With this convenience, much (if not all) of the functionally of the '-s' flag in jail(8) is lost !
-s securelevel
Set the kern.securelevel MIB entry to the specified value inside
the newly created jail. This is deprecated and is equivalent to
setting the securelevel parameter.
--
This fun, goes way back, http://seann.herdejurgen.com/resume/samag.com/html/v10/i05/a4.htm
Basically, one could fork bomb the machine, rendering all jailed systems useless- and BSD Secure Levels + login.conf in the jails were the ultimate fix.
Except back then, we didn't have the -s flag, (had to reboot a machine into a higher secure level to get this kind of protection, pretty inflexible, so it was rarely applied).
Rocket-
.ike
<snip>
>>> I recently tried to give CLANG a go with
> rebuilding the system (9.0-RELEASE to 9.1-RELEASE). Having read:
> https://wiki.freebsd.org/BuildingFreeBSDWithClang [1] everything seems
> to be working ok.
>>>
>>> I noticed something in the document that got me
> concerned:
>>>
>>> # Don't forget this when using Jails!
>>> NO_FSCHG=
>>>
>
>>> There is a suggestion to add the above to src.conf -- Can someone
> please explain what this does? Having forgotten to do this, am I going
> to have any major problems?
>>>
>>> Alex.
More information about the freebsd-jail
mailing list