[FreeBSD 6] semctl broken compared to 4-STABLE ...

Kris Kennaway kris at obsecurity.org
Sun Apr 2 19:38:22 UTC 2006 

On Sun, Apr 02, 2006 at 04:32:31PM -0300, Marc G. Fournier wrote:
> On Sun, 2 Apr 2006, Kris Kennaway wrote:
> 
> >On Sun, Apr 02, 2006 at 02:55:39PM -0300, Marc G. Fournier wrote:
> >>
> >>Back in April '05, someone posted a thread about PostgreSQL within FreeBSD
> >>jails:
> >>
> >>http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2005-04/0837.html
> >>
> >>At the time (and to date) I reported that I was running several PostgreSQL
> >>daemons, all on the same port, using FreeBSD 4.x, and all within a jail
> >>each ... and I continue to do this without any problems ...
> >>
> >>Today, on our new FreeBSD 6.x machine, I am now experiencing the same
> >>problem that Alexander originally reported ...
> >>
> >>Its not PostgreSQL related ... I'm running 4x7.4 servers on a FreeBSD 4.x
> >>box, all on the same port ... here, I'm trying to run 2x7.4 servers on a
> >>FreeBSD RELENG_6 box ...
> >>
> >>So, something has changed with FreeBSD 6's (and, according to the above
> >>thread, 5's) use of shared memory and semaphores that is breaking the
> >>ability to do this ... something that did work as hoped in FreeBSD 4 ...
> >
> >See jail(8)?
> 
> If you are referring to:
> 
>      security.jail.sysvipc_allowed
>           This MIB entry determines whether or not processes within a jail
>           have access to System V IPC primitives.  In the current jail 
>           imple-
>           mentation, System V primitives share a single namespace across the
>           host and jail environments, meaning that processes within a jail
>           would be able to communicate with (and potentially interfere with)
>           processes outside of the jail, and in other jails.  As such, this
>           functionality is disabled by default, but can be enabled by 
>           setting
>           this MIB entry to 1.
> 
> That wording hasn't changed since FreeBSD4.x, so you are saying that 
> FreeBSD6.x has become *less* stable/secure in this regard then FreeBSD 4.x 
> was?  Seems an odd direction to go ...

No, as you say the wording hasn't changed: "meaning that processes
within a jail would be able to communicate with (and potentially
interfere with) processes outside of the jail, and in other jails.".
It looks like your postgresql's are doing this.

Kris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060402/94f18e9a/attachment.pgp

More information about the freebsd-stable mailing list