From owner-freebsd-stable@FreeBSD.ORG Mon Apr 3 19:41:29 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB5A116A453 for ; Mon, 3 Apr 2006 19:41:29 +0000 (UTC) (envelope-from deischen@freebsd.org) Received: from mail.ntplx.net (mail.ntplx.net [204.213.176.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C87743D45 for ; Mon, 3 Apr 2006 19:41:29 +0000 (GMT) (envelope-from deischen@freebsd.org) Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11]) by mail.ntplx.net (8.13.6/8.13.6/NETPLEX) with ESMTP id k33JfSWp013445; Mon, 3 Apr 2006 15:41:28 -0400 (EDT) Date: Mon, 3 Apr 2006 15:41:28 -0400 (EDT) From: Daniel Eischen X-X-Sender: eischen@sea.ntplx.net To: "Marc G. Fournier" In-Reply-To: <20060403163039.O947@ganymede.hub.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.ntplx.net) Cc: Peter Jeremy , freebsd-stable@freebsd.org Subject: Re: [HACKERS] semaphore usage "port based"? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Eischen List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2006 19:41:29 -0000 On Mon, 3 Apr 2006, Marc G. Fournier wrote: > On Mon, 3 Apr 2006, Daniel Eischen wrote: > > > > > Or: > > > > 3) Run postgres in such a way that it doesn't look for > > remnant IPC information from other instances (use a > > per-jail-specific port #?). > > > > Postgres has no business cleaning up after different jailed > > instances of itself, which it wouldn't do if IPC's were > > per-jail. So since IPC's don't currently work that way, > > account for it by the way you run postgres. > > This falls under "well,we broke kill() so that it now reports a PID is not > in use even though it is, so its has to be the application that fixes it" No, kill is performing as it should. Se Robert's other response regarding sendmail. > ... and you *still* haven't shown *why* kill() reporting a PID is in use, > even if its not in the current jail, is such a security threat ... For reducing attacks I suppose. But conceptually, something running in a jail shouldn't be allowed to see out. -- DE