Date: Tue, 9 May 2006 18:19:24 +0700 From: Max Khon <fjoe@samodelkin.net> To: Robert Watson <rwatson@FreeBSD.org> Cc: Stephen Frost <sfrost@snowman.net>, freebsd-stable@FreeBSD.org, pgsql-hackers@postgresql.org, "Marc G. Fournier" <scrappy@postgresql.org>, Kris Kennaway <kris@obsecurity.org>, Tom Lane <tgl@sss.pgh.pa.us> Subject: Re: [HACKERS] semaphore usage "port based"? Message-ID: <20060509111924.GD64148@samodelkin.net> In-Reply-To: <20060403235222.W76562@fledge.watson.org> References: <27148.1144030940@sss.pgh.pa.us> <20060402232832.M947@ganymede.hub.org> <20060402234459.Y947@ganymede.hub.org> <27417.1144033691@sss.pgh.pa.us> <20060403164139.D36756@fledge.watson.org> <14654.1144082224@sss.pgh.pa.us> <20060403194251.GF4474@ns.snowman.net> <20060403233540.D76562@fledge.watson.org> <20060403225145.GI4474@ns.snowman.net> <20060403235222.W76562@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! On Mon, Apr 03, 2006 at 11:56:13PM +0100, Robert Watson wrote: > >>This is why it's disabled by default, and the jail documentation > >>specifically advises of this possibility. Excerpt below. > > > >Ah, I see, glad to see it's accurately documented. > > As it has been for the last five years, I believe since introduction of the > setting to allow System V IPC to be used with documented limitations. > > >Given the rather significant use of shared memory by Postgres it seems to > >me that jail'ing it under FBSD is unlikely to get you the kind of > >isolation between instances that you want (the assumption being that you > >want to avoid the possibility of a user under one jail impacting a user in > >another jail). As such, I'd suggest finding something else if you truely > >need that isolation for Postgres or dropping the jails entirely. > > > >Running the Postgres instances under different uids (as you'd probably > >expect to do anyway if not using the jails) is probably the right > >approach. Doing that and using jails would probably work, just don't > >delude yourself into thinking that you're safe from a malicious user in > >one jail. > > Yes, there seems to be an awful lot of noise being made about the fact that > the system does, in fact, work exactly as documented, and that the > configuration being complained about is one that is specifically documented > as being unsupported and undesirable. > > As commented elsewhere in this thread, currently, there is no > virtualization support for System V IPC in the FreeBSD Jail implementation. > That may change if/when someone implements it. Until it's implemented, it > isn't going to be there, and the system won't behave as though it's there > no matter how much jumping up and down is done. sysvipc has been implemented once, but it has been decided that it adds unnecessary bloat. That's sad. /fjoe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060509111924.GD64148>