From owner-freebsd-security  Thu Sep 28 11:32:55 2000
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 3B8B737B424
	for <freebsd-security@FreeBSD.ORG>; Thu, 28 Sep 2000 11:32:28 -0700 (PDT)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id OAA10476;
	Thu, 28 Sep 2000 14:30:19 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 28 Sep 2000 14:30:19 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: Paulo Fragoso <paulo@nlink.com.br>
Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Jail + PostgreSQL 
In-Reply-To: <Pine.BSF.4.10.10009281455440.27708-100000@mirage.nlink.com.br>
Message-ID: <Pine.NEB.3.96L.1000928142710.7124J-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


I've been taking a look at the SysV IPC code a bit this morning, and it
looks like the problem is that it supports a single integer-based
namespace that is seperate from the file system namespace.  Leaving aside
criticisms of the design, it looks like we need to perform some sort of
namespace scoping: either allocate independent namespaces for each
jail/partition, or provide stronger inter-jail protection while
maintaining the same namespace.  From the perspective of running
applications regardless of the jail, the first of those is prefered. 

I'm going to take a further look at it this evening, and could probably
hack together some patches by tomorrow or Sunday, although there may be
some garbage collection issues.  I've never used SysV IPC before, so there
may be a bit of a learning curve there.  If someone else wants to give
this a hack, that would certainly not be bad :-).

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

On Thu, 28 Sep 2000, Paulo Fragoso wrote:

> hummmmm.....
> 
> On Thu, 28 Sep 2000, Poul-Henning Kamp wrote:
> 
> > 
> > SYSV IPC is not jail-ified...
> > 
> > --
> > Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> > phk@FreeBSD.ORG         | TCP/IP since RFC 956
> > FreeBSD coreteam member | BSD since 4.3-tahoe    
> > Never attribute to malice what can adequately be explained by incompetence.
> > 
> 
> -- 
>    __O
>  _-\<,_     Why drive when you can bike?
> (_)/ (_)
> 
> 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message