| From: | Scott Marlowe <smarlowe(at)g2switchworks(dot)com> |
|---|---|
| To: | lister <lister(at)primetime(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Shared memory and FreeBSD's jail() |
| Date: | 2005-05-19 15:33:42 |
| Message-ID: | 1116516822.31821.76.camel@state.g2switchworks.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, 2005-05-19 at 09:46, lister wrote:
> At the BSDCan tutorial last week on jails (and several other times)
> there was discussion regarding Postgres's use of system V style
> shared memory, and an unfortunate side effect of making jail() less
> secure. Specifically, to allow Postgres to operate in a jail()ed
> environment, the sysctl :
> jail.sysvipc_allowed=1
> has to be set. This allows ALL jails to access the memory, at the least
> leaving Postgres open to attack, at the worst allowing a door into who
> knows what security breach.
> Question : is there any way to run Postgres securely in a jail?
I'm note sure that this is an actual security issue. Assuming that the
processes running each jail are running under a different UID, they
shouldn't be anymore able to access each other's shared memory than they
would be able to share each others files.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Marlowe | 2005-05-19 15:34:44 | Re: unique index with bool |
| Previous Message | Edmund Bacon | 2005-05-19 15:29:05 | Re: Count and Results together |