jail + postgresql + System V IPC
Michael Sig Birkmose
birkmose at cs.auc.dk
Wed Sep 10 08:18:19 PDT 2003
HI everyone,
I have resently installed a jail environment on my freebsd box, and had some
problems getting postgresql running under it.
After looking a bit on various mailinglists i figured out that I needed to
set jail.sysvipc_allowed to be 1 using sysctl in order to make postgresql
run.
However man jail gives me:
jail.sysvipc_allowed
This MIB entry determines whether or not processes within a jail
have access to System V IPC primitives. In the current jail
imple-
mentation, System V primitives share a single namespace across the
host and jail environments, meaning that processes within a jail
would be able to communicate with (and potentially interfere with)
processes outside of the jail, and in other jails. As such, this
functionality is disabled by default, but can be enabled by
setting
this MIB entry to 1.
Reading this it sounds like setting jail.sysvipc_allowed=1 is a bad idea?
So I guess my question is, whether it is a big security risk to run
postgresql in a jail? And what if I am running postgresql in both the host
environment and the jailed environment? Will I bee asking for troubles? I
managed to get things running, and so far I haven't had problems, but I was
wondering if it is safe to run postgresql + jail. I have seen an ISP
offering freebsd jails, and they have a list regarding downsides of running
jail (such as you can't use ICMP, shared hardware etc etc). In this list
they also includes that you can't run postgresql. This just makes me wonder
even more if this cocktail is a good idea :)
Cheers,
--
Michael Birkmose
More information about the freebsd-stable
mailing list