Date: Mon, 3 Apr 2006 15:42:51 -0400 From: Stephen Frost <sfrost@snowman.net> To: Tom Lane <tgl@sss.pgh.pa.us> Cc: freebsd-stable@FreeBSD.org, "Marc G. Fournier" <scrappy@postgresql.org>, pgsql-hackers@postgresql.org, Robert Watson <rwatson@FreeBSD.org>, Kris Kennaway <kris@obsecurity.org> Subject: Re: [HACKERS] semaphore usage "port based"? Message-ID: <20060403194251.GF4474@ns.snowman.net> In-Reply-To: <14654.1144082224@sss.pgh.pa.us> References: <26796.1144028094@sss.pgh.pa.us> <20060402225204.U947@ganymede.hub.org> <26985.1144029657@sss.pgh.pa.us> <20060402231232.C947@ganymede.hub.org> <27148.1144030940@sss.pgh.pa.us> <20060402232832.M947@ganymede.hub.org> <20060402234459.Y947@ganymede.hub.org> <27417.1144033691@sss.pgh.pa.us> <20060403164139.D36756@fledge.watson.org> <14654.1144082224@sss.pgh.pa.us>
next in thread | previous in thread | raw e-mail | index | archive | help
--lUkxMhOuraQ/yn/j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline * Tom Lane (tgl@sss.pgh.pa.us) wrote: > That's a fair question, but in the context of the code I believe we are > behaving reasonably. The reason this code exists is to provide some > insurance against leaking semaphores when a postmaster process is > terminated unexpectedly (ye olde often-recommended-against "kill -9 > postmaster", for instance). If the PID returned by GETPID is Could this be handled sensibly by using SEM_UNDO? Just a thought. > So I think the code is pretty bulletproof as long as it's in a system > that is behaving per SysV spec. The problem in the current FBSD > situation is that the jail mechanism is exposing semaphore sets across > jails, but not exposing the existence of the owning processes. That > behavior is inconsistent: if process A can affect the state of a sema > set that process B can see, it's surely unreasonable to pretend that A > doesn't exist. This is certainly a problem with FBSD jails... Not only the inconsistancy, but what happens if someone manages to get access to the appropriate uid under one jail and starts sniffing or messing with the semaphores or shared memory segments from other jails? If that's possible then that's a rather glaring security problem... Thanks, Stephen --lUkxMhOuraQ/yn/j Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEMXq7rzgMPqB3kigRArkvAJwMJeG2nvga3zsDWF0uPjh8s7h5BgCfSF8R 0zGa1/IObPpRHtMpBoyypJU= =eYIQ -----END PGP SIGNATURE----- --lUkxMhOuraQ/yn/j--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060403194251.GF4474>