From owner-freebsd-stable@FreeBSD.ORG Sun Apr 2 19:38:22 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA14616A420 for ; Sun, 2 Apr 2006 19:38:22 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1684C43D5C for ; Sun, 2 Apr 2006 19:38:10 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id E0FAE1A3C1D; Sun, 2 Apr 2006 12:38:09 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0F94251485; Sun, 2 Apr 2006 15:38:09 -0400 (EDT) Date: Sun, 2 Apr 2006 15:38:08 -0400 From: Kris Kennaway To: "Marc G. Fournier" Message-ID: <20060402193808.GA57127@xor.obsecurity.org> References: <20060402144704.S947@ganymede.hub.org> <20060402191519.GA56599@xor.obsecurity.org> <20060402162612.N947@ganymede.hub.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+QahgC5+KEYLbs62" Content-Disposition: inline In-Reply-To: <20060402162612.N947@ganymede.hub.org> User-Agent: Mutt/1.4.2.1i Cc: freebsd-stable@freebsd.org, Kris Kennaway Subject: Re: [FreeBSD 6] semctl broken compared to 4-STABLE ... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Apr 2006 19:38:22 -0000 --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 02, 2006 at 04:32:31PM -0300, Marc G. Fournier wrote: > On Sun, 2 Apr 2006, Kris Kennaway wrote: >=20 > >On Sun, Apr 02, 2006 at 02:55:39PM -0300, Marc G. Fournier wrote: > >> > >>Back in April '05, someone posted a thread about PostgreSQL within Free= BSD > >>jails: > >> > >>http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2005-04/0837.html > >> > >>At the time (and to date) I reported that I was running several Postgre= SQL > >>daemons, all on the same port, using FreeBSD 4.x, and all within a jail > >>each ... and I continue to do this without any problems ... > >> > >>Today, on our new FreeBSD 6.x machine, I am now experiencing the same > >>problem that Alexander originally reported ... > >> > >>Its not PostgreSQL related ... I'm running 4x7.4 servers on a FreeBSD 4= .x > >>box, all on the same port ... here, I'm trying to run 2x7.4 servers on a > >>FreeBSD RELENG_6 box ... > >> > >>So, something has changed with FreeBSD 6's (and, according to the above > >>thread, 5's) use of shared memory and semaphores that is breaking the > >>ability to do this ... something that did work as hoped in FreeBSD 4 ... > > > >See jail(8)? >=20 > If you are referring to: >=20 > security.jail.sysvipc_allowed > This MIB entry determines whether or not processes within a jail > have access to System V IPC primitives. In the current jail=20 > imple- > mentation, System V primitives share a single namespace across = the > host and jail environments, meaning that processes within a jail > would be able to communicate with (and potentially interfere wi= th) > processes outside of the jail, and in other jails. As such, th= is > functionality is disabled by default, but can be enabled by=20 > setting > this MIB entry to 1. >=20 > That wording hasn't changed since FreeBSD4.x, so you are saying that=20 > FreeBSD6.x has become *less* stable/secure in this regard then FreeBSD 4.= x=20 > was? Seems an odd direction to go ... No, as you say the wording hasn't changed: "meaning that processes within a jail would be able to communicate with (and potentially interfere with) processes outside of the jail, and in other jails.". It looks like your postgresql's are doing this. Kris --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEMCggWry0BWjoQKURAiGGAJ4s2UMoFKLQltvXBotbiWWZ2iYKtgCg1LCW KzTMN33my4gThNsVlXGAkzw= =t9aY -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62--