From owner-freebsd-questions  Wed Apr 24  6:37: 9 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60])
	by hub.freebsd.org (Postfix) with ESMTP id CA5F937B41C
	for <questions@freebsd.org>; Wed, 24 Apr 2002 06:37:05 -0700 (PDT)
Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV 
          with ESMTP; Wed, 24 Apr 2002 14:35:19 +0100
Received: from cmjg (helo=localhost)	by mail.ilrt.bris.ac.uk 
          with local-esmtp (Exim 3.16 #1)	id 170MtI-0000Xn-00;
          Wed, 24 Apr 2002 14:33:00 +0100
Date: Wed, 24 Apr 2002 14:33:00 +0100 (BST)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
X-X-Sender: cmjg@mail.ilrt.bris.ac.uk
To: Frans Haarman <frans@haarman.com>
Cc: questions@freebsd.org
Subject: Re: will postgresql run in a jail ?
In-Reply-To: <1019641981.3716.16.camel@tesla>
Message-ID: <Pine.GSO.4.44.0204241426330.23534-100000@mail.ilrt.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On 24 Apr 2002, Frans Haarman wrote:

> In the developers handbook I found
>
> ``jail is a very useful tool for running applications in a secure
> environment but it does have some shortcomings. Currently, the IPC
> mechanisms have not been converted to the suser_xxx so applications such
> as MySQL cannot be run within a jail.''
>
> I was wondering if this has changed yet (running 4-STABLE), and if
> postgres uses the same mechanisms.

Postgres uses sysv IPC mechanisms; I don't think these are jail-aware
yet on -stable (looking at recent source).

> Is there a way to check if a program will run within a jail ? Without
> trying.

Only by inspection; see what facilities it uses, and check if they're
currently jail-capable.

> And is there a way to have a jail record al used files ? So we can
> easily see what is being used in the jail, and delete the rest. Maybe
> even make a custom Makefile for the jail so no diskspace is wasted!

If you use a real copy of the filesystem inside your jail, looking at
access times will tell you what files are being opened. If you're
interested in reducing wasted diskspace, then using some kind of
readonly loopback mount (eg, with localhost nfs) for the majority of the
jail filesystems is a reasonable alternative.

jan

PS. Beware of atime modifications acting as a covert channel if you do
this.


-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk
"Impact of vulnerability: Run code of an attacker's choice
 Maximum Severity Rating: Moderate" -- M$ security bulletin


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message