| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, Robert Watson <rwatson(at)FreeBSD(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org, kris(at)obsecurity(dot)org |
| Subject: | Re: semaphore usage "port based"? |
| Date: | 2006-04-11 19:51:34 |
| Message-ID: | 20060411195134.GD4474@ns.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Bruce Momjian (pgman(at)candle(dot)pha(dot)pa(dot)us) wrote:
> I updated the wording to say 'non-root users':
>
> If running in FreeBSD jails by enabling <application>sysconf</>'s
> <literal>security.jail.sysvipc_allowed</>, <application>postmaster</>s
> running in different jails should be run by different operating system
> users. This improves security because it prevents non-root users
> from interfering with shared memory or semaphores in a different jail,
> and it allows the PostgreSQL IPC cleanup code to function properly.
> (In FreeBSD 6.0 and later the IPC cleanup code doesn't properly detect
> processes in other jails, preventing the running of postmasters on the
> same port in different jails.)
You're still saying it'll do something that it won't... It doesn't
prevent non-root users from messing with each other if they're the same
UID, even if they're under different jails... That's the whole problem
here. :)
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2006-04-11 19:56:29 | Re: semaphore usage "port based"? |
| Previous Message | Bruce Momjian | 2006-04-11 19:42:58 | Re: semaphore usage "port based"? |