[HACKERS] semaphore usage "port based"?
Daniel Eischen
deischen at freebsd.org
Mon Apr 3 19:41:29 UTC 2006
On Mon, 3 Apr 2006, Marc G. Fournier wrote:
> On Mon, 3 Apr 2006, Daniel Eischen wrote:
>
> >
> > Or:
> >
> > 3) Run postgres in such a way that it doesn't look for
> > remnant IPC information from other instances (use a
> > per-jail-specific port #?).
> >
> > Postgres has no business cleaning up after different jailed
> > instances of itself, which it wouldn't do if IPC's were
> > per-jail. So since IPC's don't currently work that way,
> > account for it by the way you run postgres.
>
> This falls under "well,we broke kill() so that it now reports a PID is not
> in use even though it is, so its has to be the application that fixes it"
No, kill is performing as it should. Se Robert's other response
regarding sendmail.
> ... and you *still* haven't shown *why* kill() reporting a PID is in use,
> even if its not in the current jail, is such a security threat ...
For reducing attacks I suppose. But conceptually, something running
in a jail shouldn't be allowed to see out.
--
DE
More information about the freebsd-stable
mailing list