security.jail.sysvipc_allowed: implications ?
Andy Smith
andy at freebsdwiki.org
Tue Nov 23 06:37:48 PST 2004
On Mon, Nov 22, 2004 at 03:23:02PM -0600, klr at 6s-gaming.com wrote:
> I'd like to know what are the implications of setting
> security.jail.sysvipc_allowed=1 while using FreeBSD jails. If I understood
> correctly, setting this to 1 allows processes inside the jail to
> communicate to the host server/other jails using SysV shared memory, but I
> don't understand the fully implications of this.
I don't either, but I believe it basically means that if a program
(inside a jail or on the host system) were to create some shared
memory that "everyone" was allowed access to, then even processes in
other jails could access this memory, which may be contrary to what
you would expect from a jailed environment.
Basically all of your SysV stuff would be global as opposed to
separate for each jail.
> Is there any concern using this sysctl as 1 on a system with only a jail
> without any ssh access, and nothing but courier, postfix, and apache?
> (inside jail)
If you don't care that processes in other jails and on the host
would be able to manipulate any shared memory from that jail as it
would on a normal unjailed system, then no, I think not.
As far as SysV IPC goes it makes it as if nothing is jailed.
PS I have had real problems getting SysV message queues to work
inside a jail even with this sysctl set, but I have never bothered
to chase it down as yet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041123/1040ef7f/attachment.bin
More information about the freebsd-questions
mailing list