Date: Tue, 23 Nov 2004 14:37:47 +0000 From: Andy Smith <andy@freebsdwiki.org> To: freebsd-questions@FreeBSD.org Subject: Re: security.jail.sysvipc_allowed: implications ? Message-ID: <20041123143747.GI1549@caffreys.strugglers.net> In-Reply-To: <50098.81.84.175.77.1101158582.squirrel@81.84.175.77> References: <50098.81.84.175.77.1101158582.squirrel@81.84.175.77>
next in thread | previous in thread | raw e-mail | index | archive | help
--hYe7A3Y6Um+yAov/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 22, 2004 at 03:23:02PM -0600, klr@6s-gaming.com wrote: > I'd like to know what are the implications of setting > security.jail.sysvipc_allowed=1 while using FreeBSD jails. If I understood > correctly, setting this to 1 allows processes inside the jail to > communicate to the host server/other jails using SysV shared memory, but I > don't understand the fully implications of this. I don't either, but I believe it basically means that if a program (inside a jail or on the host system) were to create some shared memory that "everyone" was allowed access to, then even processes in other jails could access this memory, which may be contrary to what you would expect from a jailed environment. Basically all of your SysV stuff would be global as opposed to separate for each jail. > Is there any concern using this sysctl as 1 on a system with only a jail > without any ssh access, and nothing but courier, postfix, and apache? > (inside jail) If you don't care that processes in other jails and on the host would be able to manipulate any shared memory from that jail as it would on a normal unjailed system, then no, I think not. As far as SysV IPC goes it makes it as if nothing is jailed. PS I have had real problems getting SysV message queues to work inside a jail even with this sysctl set, but I have never bothered to chase it down as yet. --hYe7A3Y6Um+yAov/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBo0s7IJm2TL8VSQsRAlNWAKDSnrR/8jf3Kle8Q+tAUBNbewqMWwCg8fsz CRUxZhQsDZ8CWV+GAuO26I8= =nvmb -----END PGP SIGNATURE----- --hYe7A3Y6Um+yAov/--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041123143747.GI1549>