From owner-freebsd-stable@FreeBSD.ORG Wed Sep 10 09:32:11 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F90116A4BF for ; Wed, 10 Sep 2003 09:32:11 -0700 (PDT) Received: from lurza.secnetix.de (lurza.secnetix.de [195.143.231.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A14A43FCB for ; Wed, 10 Sep 2003 09:32:09 -0700 (PDT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (qbqjyl@localhost [127.0.0.1]) by lurza.secnetix.de (8.12.8p1/8.12.8) with ESMTP id h8AGW8CR092259 for ; Wed, 10 Sep 2003 18:32:08 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.12.8p1/8.12.8/Submit) id h8AGW8QU092258; Wed, 10 Sep 2003 18:32:08 +0200 (CEST) Date: Wed, 10 Sep 2003 18:32:08 +0200 (CEST) Message-Id: <200309101632.h8AGW8QU092258@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <007301c377ac$b76844d0$0301a8c0@mrwinslows> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.8-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: jail + postgresql + System V IPC X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 16:32:11 -0000 Michael Sig Birkmose wrote: > I have resently installed a jail environment on my freebsd box, and had some > problems getting postgresql running under it. > After looking a bit on various mailinglists i figured out that I needed to > set jail.sysvipc_allowed to be 1 using sysctl in order to make postgresql > run. > > However man jail gives me: > [...] In other words, shared memory and semaphores exist only once on the machine, not per-jail. That means that a process in a jail is not completely isolated from other processes in other jails (or in the host environment) which also use shared memory or semaphores. > Reading this it sounds like setting jail.sysvipc_allowed=1 is a bad idea? > So I guess my question is, whether it is a big security risk to run > postgresql in a jail? No, I wouldn't say that. It is still _much_ better than not running PostgreSQL in a jail at all. You can use the command "ipcs" to check the current usage of shared memory and semaphores. Chances are that Post- greSQL is the only program using them. > And what if I am running postgresql in both the host > environment and the jailed environment? Will I bee asking for troubles? No, they will just each acquire and use their own shared memory and semaphores. However, it doesn't make sense to run more than one PostgreSQL instance on one machine. In particular, why would you want to run only one of them in a jail? Also note that running more than one instance on a physical machine will lower the performance. > I > managed to get things running, and so far I haven't had problems, but I was > wondering if it is safe to run postgresql + jail. I have seen an ISP > offering freebsd jails, and they have a list regarding downsides of running > jail (such as you can't use ICMP, shared hardware etc etc). In this list > they also includes that you can't run postgresql. This just makes me wonder > even more if this cocktail is a good idea :) They decided not to set the sysctl, in order to improve isolation. Probably a very good idea on a shell box. I assume you don't intend to offer user shells on the same machine running your PostgreSQL. Apart from that, what would you do instead? Not run PostgreSQL at all? Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Documentation is like sex; when it's good, it's very, very good, and when it's bad, it's better than nothing." -- Dick Brandon