[FreeBSD 6] semctl broken compared to 4-STABLE ...
Kris Kennaway
kris at obsecurity.org
Sun Apr 2 19:38:22 UTC 2006
On Sun, Apr 02, 2006 at 04:32:31PM -0300, Marc G. Fournier wrote:
> On Sun, 2 Apr 2006, Kris Kennaway wrote:
>
> >On Sun, Apr 02, 2006 at 02:55:39PM -0300, Marc G. Fournier wrote:
> >>
> >>Back in April '05, someone posted a thread about PostgreSQL within FreeBSD
> >>jails:
> >>
> >>http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2005-04/0837.html
> >>
> >>At the time (and to date) I reported that I was running several PostgreSQL
> >>daemons, all on the same port, using FreeBSD 4.x, and all within a jail
> >>each ... and I continue to do this without any problems ...
> >>
> >>Today, on our new FreeBSD 6.x machine, I am now experiencing the same
> >>problem that Alexander originally reported ...
> >>
> >>Its not PostgreSQL related ... I'm running 4x7.4 servers on a FreeBSD 4.x
> >>box, all on the same port ... here, I'm trying to run 2x7.4 servers on a
> >>FreeBSD RELENG_6 box ...
> >>
> >>So, something has changed with FreeBSD 6's (and, according to the above
> >>thread, 5's) use of shared memory and semaphores that is breaking the
> >>ability to do this ... something that did work as hoped in FreeBSD 4 ...
> >
> >See jail(8)?
>
> If you are referring to:
>
> security.jail.sysvipc_allowed
> This MIB entry determines whether or not processes within a jail
> have access to System V IPC primitives. In the current jail
> imple-
> mentation, System V primitives share a single namespace across the
> host and jail environments, meaning that processes within a jail
> would be able to communicate with (and potentially interfere with)
> processes outside of the jail, and in other jails. As such, this
> functionality is disabled by default, but can be enabled by
> setting
> this MIB entry to 1.
>
> That wording hasn't changed since FreeBSD4.x, so you are saying that
> FreeBSD6.x has become *less* stable/secure in this regard then FreeBSD 4.x
> was? Seems an odd direction to go ...
No, as you say the wording hasn't changed: "meaning that processes
within a jail would be able to communicate with (and potentially
interfere with) processes outside of the jail, and in other jails.".
It looks like your postgresql's are doing this.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060402/94f18e9a/attachment.pgp
More information about the freebsd-stable
mailing list