From owner-freebsd-apache@FreeBSD.ORG Thu Feb 9 03:28:44 2012 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D37BA1065670; Thu, 9 Feb 2012 03:28:44 +0000 (UTC) (envelope-from nwf@cs.jhu.edu) Received: from blaze.cs.jhu.edu (blaze.cs.jhu.edu [128.220.13.50]) by mx1.freebsd.org (Postfix) with ESMTP id 90D568FC15; Thu, 9 Feb 2012 03:28:42 +0000 (UTC) Received: from gradx.cs.jhu.edu (gradx.cs.jhu.edu [128.220.13.52]) by blaze.cs.jhu.edu (8.14.3/8.14.3) with ESMTP id q193HdfJ021512 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 8 Feb 2012 22:17:39 -0500 (EST) Received: from gradx.cs.jhu.edu (localhost [127.0.0.1]) by gradx.cs.jhu.edu (8.14.3/8.13.1) with ESMTP id q193Hdst028150; Wed, 8 Feb 2012 22:17:39 -0500 Received: (from nwf@localhost) by gradx.cs.jhu.edu (8.14.3/8.13.8/Submit) id q193Hdag028149; Wed, 8 Feb 2012 22:17:39 -0500 Date: Wed, 8 Feb 2012 22:17:39 -0500 From: Nathaniel W Filardo To: pgollucci@freebsd.org Message-ID: <20120209031739.GE2226@gradx.cs.jhu.edu> References: <201202090259.q192x8Ir051130@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AH+kv8CCoFf6qPuz" Content-Disposition: inline In-Reply-To: <201202090259.q192x8Ir051130@freefall.freebsd.org> User-Agent: Mutt/1.5.20 (2009-08-17) Cc: nwf@cs.jhu.edu, apache@freebsd.org Subject: Re: ports/144010: devel/apr1 tries to use SYSVIPC even in jails X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2012 03:28:44 -0000 --AH+kv8CCoFf6qPuz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 09, 2012 at 02:59:08AM +0000, pgollucci@freebsd.org wrote: > Synopsis: devel/apr1 tries to use SYSVIPC even in jails >=20 > State-Changed-From-To: open->closed > State-Changed-By: pgollucci > State-Changed-When: Thu Feb 9 02:59:08 UTC 2012 > State-Changed-Why:=20 > sysctl security.jail.sysvipc_allowed=3D1 before you build it in a jail if > you need this >=20 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D144010 IMHO it would be better if APR were told to use a different IPC mechanism if it were jailed. sysvipc_allowed has dramatically negative security implications that the other IPC mechanisms it can use do not, AIUI. Thanks. --nwf; --AH+kv8CCoFf6qPuz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk8zOtMACgkQTeQabvr9Tc/C0gCeI35tatmoJPI91FwSyIPYTYf+ rU8An10B60ip8toThaWUVThVPStFcZrV =YOYG -----END PGP SIGNATURE----- --AH+kv8CCoFf6qPuz--