Re: Shared memory and FreeBSD's jail()
| От | Scott Marlowe |
|---|---|
| Тема | Re: Shared memory and FreeBSD's jail() |
| Дата | |
| Msg-id | 1116516822.31821.76.camel@state.g2switchworks.com обсуждение исходный текст |
| Ответ на | Shared memory and FreeBSD's jail() (lister <lister@primetime.com>) |
| Ответы |
Re: Shared memory and FreeBSD's jail()
|
| Список | pgsql-general |
On Thu, 2005-05-19 at 09:46, lister wrote: > At the BSDCan tutorial last week on jails (and several other times) > there was discussion regarding Postgres's use of system V style > shared memory, and an unfortunate side effect of making jail() less > secure. Specifically, to allow Postgres to operate in a jail()ed > environment, the sysctl : > jail.sysvipc_allowed=1 > has to be set. This allows ALL jails to access the memory, at the least > leaving Postgres open to attack, at the worst allowing a door into who > knows what security breach. > Question : is there any way to run Postgres securely in a jail? I'm note sure that this is an actual security issue. Assuming that the processes running each jail are running under a different UID, they shouldn't be anymore able to access each other's shared memory than they would be able to share each others files.
В списке pgsql-general по дате отправления: