Date: Thu, 28 Sep 2000 11:06:37 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Paulo Fragoso <paulo@nlink.com.br> Cc: freebsd-security@freebsd.org Subject: Re: Jail + PostgreSQL Message-ID: <Pine.NEB.3.96L.1000928110030.7124B-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.10.10009281013250.83565-100000@mirage.nlink.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 28 Sep 2000, Paulo Fragoso wrote: > If we kill all postgres in all jails and we start postgresql manually on > frist jail after this we start postgresql on second jail all work fine. I wasn't clear from your description as to the configuration. I generally thing of jails in the following kind of diagram: +------------------------------------------+ | The host environment | | | | +-------+ +-------+ | | | Jail1 | | Jail2 | | | +-------+ +-------+ | +------------------------------------------+ This is intended to reflect that while jail's are logically partitioned, they're all subsets of the host environment, and that therefore there can be interactions between the host and jail environments. For example, the reason the jail(8) man page recommends not running inetd/sendmail/sshd/etc in the host environment without configuration modifications is the following: a daemon that binds INADDR_ANY in a jail is limited to that jail's IP address, whereas a daemon in the host environment will listen on any IP not specifically bound by an application (i.e., one in a jail). this means that sendmail will listen on jail IPs if those jails are not running sendmail -- undesirable :-). So my questions below are pointed at determining if this is a host interaction like that, or if it is an inter-jail interaction. In which locations in this diagram are you running postgresql? It sounded like a pgsql in Jail1, and a pgsql in Jail2, but was there also one in the host environment? > Are there any problem with shared memory using jail? Is this a security > problem? It may be, and I don't know because I didn't write this code, that all jails share the same SysV SHM namespace. If that is the case, it needs to be fixed, and could be a security problem if you run applications using SysV SHM between jails. However, it could also be a host vs. jail issue, if you are starting a pgsql in the host environment, which might interfere with the ones in jail. You note that re-running them in the jails makes them start fine -- is this an indication that you had one in the host environment? A concise timeline concerning the starting, stopping, and errors, as well as jail starting events, would be useful. I admit to having never tried to run postgresql in a jail, but it seems like a useful thing to do :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000928110030.7124B-100000>