From owner-freebsd-security Fri Dec 27 5:18:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B210037B401 for ; Fri, 27 Dec 2002 05:18:10 -0800 (PST) Received: from mail.konvergencia.hu (konvergencia.hu [195.228.254.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0E0D43EA9 for ; Fri, 27 Dec 2002 05:18:09 -0800 (PST) (envelope-from binary@konvergencia.hu) Received: from binary by mail.konvergencia.hu with local (Exim 3.36 #1) id 18QkmO-0007Bq-00 for security@freebsd.org; Tue, 24 Dec 2002 09:51:12 +0100 Date: Tue, 24 Dec 2002 09:51:12 +0100 From: Marton Kenyeres To: security@freebsd.org Subject: Jail & SYSVIPC & postgres Message-ID: <20021224095112.A27587@bsd.konvergencia.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I'm in a middle of building a server which will run Apache + PHP + Postgresql along with a few basic services as DNS, SMTP and POP3. I plan to put the web-related services, the e-mail related services and BIND in 3 separate jail-s. Unfortunately PostgreSQL depends heavily on shared memory, so if I plan to use it in a jail i have to turn the jail.sysvipc_allowed sysctl on. One more addition: the jails are bind to aliases on the loopback interface and the connections are NAT-ed to the outer interface. The main benefit of this (apart from not paying $$-s for additional IP-addresses :) is that no service runs as root as they don't have to bind to their usual priviledged ports. From the developers handbook: "On most systems, this sysctl is set to 0. If it were set to 1, it would defeat the whole purpose of having a jail; privleged users from within the jail would be able to affect processes outside of the environment. " My question is: Do I really shoot myself in the foot with allowing SYSVIPC in the jails, if there are absolutely no processes runing as root inside the jails, nor there are any suid programs ? Any help, advice etc. greatly appreciated, cheerz: m. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message