From owner-freebsd-stable@FreeBSD.ORG Mon Apr 3 19:45:31 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.org Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D80716A41F; Mon, 3 Apr 2006 19:45:31 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DE5A43D6D; Mon, 3 Apr 2006 19:45:25 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 8331B1A3C25; Mon, 3 Apr 2006 12:45:25 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6D13751CE5; Mon, 3 Apr 2006 15:45:24 -0400 (EDT) Date: Mon, 3 Apr 2006 15:45:24 -0400 From: Kris Kennaway To: Tom Lane , Robert Watson , "Marc G. Fournier" , Kris Kennaway , freebsd-stable@FreeBSD.org, pgsql-hackers@postgresql.org Message-ID: <20060403194524.GA58237@xor.obsecurity.org> References: <20060402225204.U947@ganymede.hub.org> <26985.1144029657@sss.pgh.pa.us> <20060402231232.C947@ganymede.hub.org> <27148.1144030940@sss.pgh.pa.us> <20060402232832.M947@ganymede.hub.org> <20060402234459.Y947@ganymede.hub.org> <27417.1144033691@sss.pgh.pa.us> <20060403164139.D36756@fledge.watson.org> <14654.1144082224@sss.pgh.pa.us> <20060403194251.GF4474@ns.snowman.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline In-Reply-To: <20060403194251.GF4474@ns.snowman.net> User-Agent: Mutt/1.4.2.1i Cc: Subject: Re: [HACKERS] semaphore usage "port based"? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2006 19:45:31 -0000 --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 03, 2006 at 03:42:51PM -0400, Stephen Frost wrote: > * Tom Lane (tgl@sss.pgh.pa.us) wrote: > > That's a fair question, but in the context of the code I believe we are > > behaving reasonably. The reason this code exists is to provide some > > insurance against leaking semaphores when a postmaster process is > > terminated unexpectedly (ye olde often-recommended-against "kill -9 > > postmaster", for instance). If the PID returned by GETPID is >=20 > Could this be handled sensibly by using SEM_UNDO? Just a thought. >=20 > > So I think the code is pretty bulletproof as long as it's in a system > > that is behaving per SysV spec. The problem in the current FBSD > > situation is that the jail mechanism is exposing semaphore sets across > > jails, but not exposing the existence of the owning processes. That > > behavior is inconsistent: if process A can affect the state of a sema > > set that process B can see, it's surely unreasonable to pretend that A > > doesn't exist. >=20 > This is certainly a problem with FBSD jails... Not only the > inconsistancy, but what happens if someone manages to get access to the > appropriate uid under one jail and starts sniffing or messing with the > semaphores or shared memory segments from other jails? If that's > possible then that's a rather glaring security problem... This was stated already upthread, but sysv IPC is disabled by default in jails for precisely this reason. So yes, when you turn it on it's a potential security problem if your jails are supposed to be compartmentalized. Kris --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEMXtTWry0BWjoQKURAv7kAJ44Pj6OEpKv4XMRRVe8gB5UrNUadACg32mb 7osslD45n6MSY2TeF1tQNAI= =uj9p -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH--