[PATCH] securelevel and make installworld

Craig Boston craig at feniz.gank.org
Sat Apr 30 19:28:32 PDT 2005

On Wed, Apr 20, 2005 at 05:47:08PM -0500, Jon Noack wrote:
> The attached diff is against -CURRENT but applies cleanly to 5.4-RC3. 
> It adds a check to the installworld target in src/Makefile.inc1 to 
> ensure we are not in secure mode.

What about cases where installing in secure mode is both valid and will
not fail?

For example, consider using installworld to create a jail environment.
If the target directory is empty, no schg files need to be overwritten
and the install will succeed even with securelevel 3.

Some users may also have their system configured so that schg is not set
on system files (INSTALLFLAGS_EDIT=:N-fschg, among other methods).
Arguably this is not very secure, but perhaps they are using securelevel
for something else.  Perhaps protecting firewall rules or sensitive

IMHO, it's not the system's place to second guess what it is told to do.


More information about the freebsd-stable mailing list