Re: semaphore usage "port based"?

* Bruce Momjian (pgman(at)candle(dot)pha(dot)pa(dot)us) wrote:
> <para>
> + If running in FreeBSD jails by enabling <application>sysconf</>'s
> + <literal>security.jail.sysvipc_allowed</>, <application>postmaster</>s
> + running in different jails should be run by different operating system
> + users. This improves security because it prevents one jail from
> + interfering with shared memory or semaphores in another, and it
> + allows the PostgreSQL IPC cleanup code to function properly.
> + (In FreeBSD 6.0 and later the IPC cleanup code doesn't properly detect
> + processes in other jails, preventing the running of postmasters on the
> + same port in different jails.)
> + </para>

This looks good, my only comment would be that we don't want people to
believe that using different users somehow makes the sysv spaces
seperate between the jails. It doesn't. Even when using different
uids, a user who gets root in one jail would be able to mess with the
Postgres instance in the other jail through IPC.

Perhaps change:

"This improves security because it prevents one jail from
interfering with shared memory or semaphores in another"

to:

"This improves security because it prevents the postgres user in one
jail from interfering with shared memory or semaphores owned by a
different user in another jail (with BSD jails, root, or the same
UID, in any jail can see and interfere with the shared memory and
semaphores in any other jail of the same UID, or all if root)"

That's still not great but I think it's a little better...

Thanks,

Stephen