Ronald Klop wrote:
On Wed, 20 Apr 2005 16:28:06 -0500, Jon Noack <[EMAIL PROTECTED]> wrote:Check in the Makefile? Why don't You check Your securelevel with "sysctl -a | grep kern.securelevel"? But how don't You remember which securelevel are You using? You probably have your own habits in system administration. As for me I always use 2, which is convenient for me, because I often have to modify ipf/ipfw rules.
On 04/20/05 15:16, Ronald Klop wrote:
Can make installworld complain on startup if I try to run it with securelevel > 0.
It will fail half way through on some files with nochg flags or something like that.
Design feature:
'schg' is the system immutable flag. Some system files are installed with 'schg' for security reasons; installworld must remove this flag in order to install a new version of these files. However, when securelevel > 0 system immutable flags may not be turned off (see init(8)). An attempt to remove the system immutable flag (set 'noschg') will therefore fail. As a result, installworld fails.
Canonical answer:
Reboot into single user mode to perform the installworld as documented in UPDATING and section 19.4.1 of the handbook.
I understand the problem, otherwise I wouldn't have securelevel > 0. Doing a remote install in single user mode isn't always possible.
And than it isn't very nice to break the installworld with an error. Using the idea of 'fail early' it would be very nice too have a check for securelevel in the installworld Makefile.
Ronald.
Anyway, make installworld is the most secure in single user mode. I had a critical failure by making installworld without booting single user mode and my system didn't boot any more. I had to reinstall everything.
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
