At the BSDCan tutorial last week on jails (and several other times)
there was discussion regarding Postgres's use of system V style
shared memory, and an unfortunate side effect of making jail() less
secure. Specifically, to allow Postgres to operate in a jail()ed
environment, the sysctl :
jail.sysvipc_allowed=1
has to be set. This allows ALL jails to access the memory, at the least
leaving Postgres open to attack, at the worst allowing a door into who
knows what security breach.
Question : is there any way to run Postgres securely in a jail?