Date: Thu, 28 Sep 2000 15:59:30 -0300 (EST) From: Paulo Fragoso <paulo@nlink.com.br> To: Robert Watson <rwatson@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Jail + PostgreSQL Message-ID: <Pine.BSF.4.10.10009281458590.27708-100000@mirage.nlink.com.br> In-Reply-To: <Pine.NEB.3.96L.1000928110030.7124B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 28 Sep 2000, Robert Watson wrote:
>
> On Thu, 28 Sep 2000, Paulo Fragoso wrote:
>
> > If we kill all postgres in all jails and we start postgresql manually on
> > frist jail after this we start postgresql on second jail all work fine.
>
> I wasn't clear from your description as to the configuration. I generally
> thing of jails in the following kind of diagram:
>
> +------------------------------------------+
> | The host environment |
> | |
> | +-------+ +-------+ |
> | | Jail1 | | Jail2 | |
> | +-------+ +-------+ |
> +------------------------------------------+
Yes, we've got two jails into same host environment.
>
> This is intended to reflect that while jail's are logically partitioned,
> they're all subsets of the host environment, and that therefore there can
> be interactions between the host and jail environments. For example, the
> reason the jail(8) man page recommends not running inetd/sendmail/sshd/etc
> in the host environment without configuration modifications is the
> following: a daemon that binds INADDR_ANY in a jail is limited to that
> jail's IP address, whereas a daemon in the host environment will listen on
> any IP not specifically bound by an application (i.e., one in a jail).
> this means that sendmail will listen on jail IPs if those jails are not
> running sendmail -- undesirable :-). So my questions below are pointed at
> determining if this is a host interaction like that, or if it is an
> inter-jail interaction.
It's ok.
>
> In which locations in this diagram are you running postgresql? It sounded
> like a pgsql in Jail1, and a pgsql in Jail2, but was there also one in the
> host environment?
There isn't pgsql in the host environment.
>
> > Are there any problem with shared memory using jail? Is this a security
> > problem?
>
> It may be, and I don't know because I didn't write this code, that all
> jails share the same SysV SHM namespace. If that is the case, it needs to
> be fixed, and could be a security problem if you run applications using
> SysV SHM between jails. However, it could also be a host vs. jail issue,
> if you are starting a pgsql in the host environment, which might interfere
> with the ones in jail. You note that re-running them in the jails makes
> them start fine -- is this an indication that you had one in the host
> environment? A concise timeline concerning the starting, stopping, and
When we are logged on jail1 and jail2 (using two xterm), frist we run the
pgsql on jail1 and second the pgsql on jail2, they works fine (I think).
Rebooting the host enviroment we've got problems, our rc file looks like
this:
#!/bin/sh
rm /export/jail1/tmp/.s*
ifconfig ed0 inet alias jjj.jjj.jjj.35 netmask 255.255.255.255
mount -t procfs proc /export/jail1/proc
jail /export/jail1 jail1 200.249.195.35 /bin/sh /etc/rc
rm /export/jail2/tmp/.s*
ifconfig ed0 inet alias jjj.jjj.jjj.38 netmask 255.255.255.255
mount -t procfs proc /export/jail2/proc
jail /export/jail2 jail2 200.249.195.38 /bin/sh /etc/rc
If the shared menory isn't jailed then it's explain some crazy erros on
pgsql, like this:
DEBUG: Data Base System is in production state at Thu Sep 28 11:45:32
2000
FATAL 1: relpath_blind: oid of db tallyman is not 22624
^^^^^^^^
This error happened on jails1 and "tallyman" only exist on jail2!!!
> errors, as well as jail starting events, would be useful. I admit to
> having never tried to run postgresql in a jail, but it seems like a useful
> thing to do :-).
>
> Robert N M Watson
>
> robert@fledge.watson.org http://www.watson.org/~robert/
> PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
> TIS Labs at Network Associates, Safeport Network Services
>
>
Thanks,
Paulo.
--
__O
_-\<,_ Why drive when you can bike?
(_)/ (_)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10009281458590.27708-100000>