Date: Sun, 2 Apr 2006 15:38:08 -0400 From: Kris Kennaway <kris@obsecurity.org> To: "Marc G. Fournier" <scrappy@hub.org> Cc: freebsd-stable@freebsd.org, Kris Kennaway <kris@obsecurity.org> Subject: Re: [FreeBSD 6] semctl broken compared to 4-STABLE ... Message-ID: <20060402193808.GA57127@xor.obsecurity.org> In-Reply-To: <20060402162612.N947@ganymede.hub.org> References: <20060402144704.S947@ganymede.hub.org> <20060402191519.GA56599@xor.obsecurity.org> <20060402162612.N947@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 02, 2006 at 04:32:31PM -0300, Marc G. Fournier wrote: > On Sun, 2 Apr 2006, Kris Kennaway wrote: >=20 > >On Sun, Apr 02, 2006 at 02:55:39PM -0300, Marc G. Fournier wrote: > >> > >>Back in April '05, someone posted a thread about PostgreSQL within Free= BSD > >>jails: > >> > >>http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2005-04/0837.html > >> > >>At the time (and to date) I reported that I was running several Postgre= SQL > >>daemons, all on the same port, using FreeBSD 4.x, and all within a jail > >>each ... and I continue to do this without any problems ... > >> > >>Today, on our new FreeBSD 6.x machine, I am now experiencing the same > >>problem that Alexander originally reported ... > >> > >>Its not PostgreSQL related ... I'm running 4x7.4 servers on a FreeBSD 4= .x > >>box, all on the same port ... here, I'm trying to run 2x7.4 servers on a > >>FreeBSD RELENG_6 box ... > >> > >>So, something has changed with FreeBSD 6's (and, according to the above > >>thread, 5's) use of shared memory and semaphores that is breaking the > >>ability to do this ... something that did work as hoped in FreeBSD 4 ... > > > >See jail(8)? >=20 > If you are referring to: >=20 > security.jail.sysvipc_allowed > This MIB entry determines whether or not processes within a jail > have access to System V IPC primitives. In the current jail=20 > imple- > mentation, System V primitives share a single namespace across = the > host and jail environments, meaning that processes within a jail > would be able to communicate with (and potentially interfere wi= th) > processes outside of the jail, and in other jails. As such, th= is > functionality is disabled by default, but can be enabled by=20 > setting > this MIB entry to 1. >=20 > That wording hasn't changed since FreeBSD4.x, so you are saying that=20 > FreeBSD6.x has become *less* stable/secure in this regard then FreeBSD 4.= x=20 > was? Seems an odd direction to go ... No, as you say the wording hasn't changed: "meaning that processes within a jail would be able to communicate with (and potentially interfere with) processes outside of the jail, and in other jails.". It looks like your postgresql's are doing this. Kris --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEMCggWry0BWjoQKURAiGGAJ4s2UMoFKLQltvXBotbiWWZ2iYKtgCg1LCW KzTMN33my4gThNsVlXGAkzw= =t9aY -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060402193808.GA57127>