From owner-freebsd-stable@FreeBSD.ORG Mon Apr 3 19:41:41 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.org Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C08416A608; Mon, 3 Apr 2006 19:41:41 +0000 (UTC) (envelope-from sfrost@snowman.net) Received: from ns.snowman.net (ns.snowman.net [66.92.160.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C543F43D48; Mon, 3 Apr 2006 19:41:40 +0000 (GMT) (envelope-from sfrost@snowman.net) Received: by ns.snowman.net (Postfix, from userid 1000) id 6B48917AD6; Mon, 3 Apr 2006 15:42:51 -0400 (EDT) Date: Mon, 3 Apr 2006 15:42:51 -0400 From: Stephen Frost To: Tom Lane Message-ID: <20060403194251.GF4474@ns.snowman.net> Mail-Followup-To: Tom Lane , Robert Watson , "Marc G. Fournier" , Kris Kennaway , freebsd-stable@FreeBSD.org, pgsql-hackers@postgresql.org References: <26796.1144028094@sss.pgh.pa.us> <20060402225204.U947@ganymede.hub.org> <26985.1144029657@sss.pgh.pa.us> <20060402231232.C947@ganymede.hub.org> <27148.1144030940@sss.pgh.pa.us> <20060402232832.M947@ganymede.hub.org> <20060402234459.Y947@ganymede.hub.org> <27417.1144033691@sss.pgh.pa.us> <20060403164139.D36756@fledge.watson.org> <14654.1144082224@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lUkxMhOuraQ/yn/j" Content-Disposition: inline In-Reply-To: <14654.1144082224@sss.pgh.pa.us> X-Editor: Vim http://www.vim.org/ X-Info: http://www.snowman.net X-Operating-System: Linux/2.4.24ns.3.0 (i686) X-Uptime: 15:39:21 up 296 days, 11:45, 5 users, load average: 0.06, 0.08, 0.02 User-Agent: Mutt/1.5.11 Cc: freebsd-stable@FreeBSD.org, "Marc G. Fournier" , pgsql-hackers@postgresql.org, Robert Watson , Kris Kennaway Subject: Re: [HACKERS] semaphore usage "port based"? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2006 19:41:41 -0000 --lUkxMhOuraQ/yn/j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline * Tom Lane (tgl@sss.pgh.pa.us) wrote: > That's a fair question, but in the context of the code I believe we are > behaving reasonably. The reason this code exists is to provide some > insurance against leaking semaphores when a postmaster process is > terminated unexpectedly (ye olde often-recommended-against "kill -9 > postmaster", for instance). If the PID returned by GETPID is Could this be handled sensibly by using SEM_UNDO? Just a thought. > So I think the code is pretty bulletproof as long as it's in a system > that is behaving per SysV spec. The problem in the current FBSD > situation is that the jail mechanism is exposing semaphore sets across > jails, but not exposing the existence of the owning processes. That > behavior is inconsistent: if process A can affect the state of a sema > set that process B can see, it's surely unreasonable to pretend that A > doesn't exist. This is certainly a problem with FBSD jails... Not only the inconsistancy, but what happens if someone manages to get access to the appropriate uid under one jail and starts sniffing or messing with the semaphores or shared memory segments from other jails? If that's possible then that's a rather glaring security problem... Thanks, Stephen --lUkxMhOuraQ/yn/j Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEMXq7rzgMPqB3kigRArkvAJwMJeG2nvga3zsDWF0uPjh8s7h5BgCfSF8R 0zGa1/IObPpRHtMpBoyypJU= =eYIQ -----END PGP SIGNATURE----- --lUkxMhOuraQ/yn/j--