Date: Wed, 24 Apr 2002 14:33:00 +0100 (BST) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: Frans Haarman <frans@haarman.com> Cc: questions@freebsd.org Subject: Re: will postgresql run in a jail ? Message-ID: <Pine.GSO.4.44.0204241426330.23534-100000@mail.ilrt.bris.ac.uk> In-Reply-To: <1019641981.3716.16.camel@tesla>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 Apr 2002, Frans Haarman wrote: > In the developers handbook I found > > ``jail is a very useful tool for running applications in a secure > environment but it does have some shortcomings. Currently, the IPC > mechanisms have not been converted to the suser_xxx so applications such > as MySQL cannot be run within a jail.'' > > I was wondering if this has changed yet (running 4-STABLE), and if > postgres uses the same mechanisms. Postgres uses sysv IPC mechanisms; I don't think these are jail-aware yet on -stable (looking at recent source). > Is there a way to check if a program will run within a jail ? Without > trying. Only by inspection; see what facilities it uses, and check if they're currently jail-capable. > And is there a way to have a jail record al used files ? So we can > easily see what is being used in the jail, and delete the rest. Maybe > even make a custom Makefile for the jail so no diskspace is wasted! If you use a real copy of the filesystem inside your jail, looking at access times will tell you what files are being opened. If you're interested in reducing wasted diskspace, then using some kind of readonly loopback mount (eg, with localhost nfs) for the majority of the jail filesystems is a reasonable alternative. jan PS. Beware of atime modifications acting as a covert channel if you do this. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk "Impact of vulnerability: Run code of an attacker's choice Maximum Severity Rating: Moderate" -- M$ security bulletin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0204241426330.23534-100000>