Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Sep 2003 22:12:58 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Michael Sig Birkmose <birkmose@cs.auc.dk>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: jail + postgresql + System V IPC
Message-ID:  <Pine.BSF.4.53.0309102200330.93188@e0-0.zab2.int.zabbadoz.net>
In-Reply-To: <007301c377ac$b76844d0$0301a8c0@mrwinslows>
References:  <007301c377ac$b76844d0$0301a8c0@mrwinslows>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 10 Sep 2003, Michael Sig Birkmose wrote:

Hi,


> So I guess my question is, whether it is a big security risk to run
> postgresql in a jail?


I once tested postgresql on a machine that I had used for testing some
routing stuff before and therefor there no 127.0.0.1 had been
configured on loopack but another IP.

Some internal statistics sockets or s.th. like that (cannot really
remember; PGSTAT ?) had been hardcoded to listen on 127.0.0.1 and
postmaster did not start.

And this will be a Problem with jails I guess:
127.0.0.1 gets mapped to the official IP of the jail. Thus those sockets
will be reachable from outside the jail though they are set to
127 to not be reachable from outside. Jail breaks this design. I filed
a bug report to postgresql people those days but I had been the only
one ever complaining about this 127.0.0.1 so we agreed on closing it.

I just found a 'diff' from those days that might help you to identify
the code:

--- postgresql-7.2.1.vanilla/./src/backend/postmaster/pgstat.c  Thu Feb  7 23:20:26 2002
+++ postgresql-7.2.1/./src/backend/postmaster/pgstat.c  Wed May 22 11:29:32 2002
@@ -183,7 +183,7 @@
         */
        pgStatAddr.sin_family = AF_INET;
        pgStatAddr.sin_port = htons(0);
-       inet_aton("127.0.0.1", &(pgStatAddr.sin_addr));
+       inet_aton("127.0.0.1", &(pgStatAddr.sin_addr)); /* XXX FIXME */
        alen = sizeof(pgStatAddr);
        if (bind(pgStatSock, (struct sockaddr *) & pgStatAddr, alen) < 0)
        {
--- snipp ---

Also found that a NOTE.txt next to it that tells me that I could stop
this thing happening by turning stats collector of:

stats_start_collector = false

-- 
Greetings

Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
56 69 73 69 74				http://www.zabbadoz.net/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.53.0309102200330.93188>