| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, Robert Watson <rwatson(at)FreeBSD(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org, kris(at)obsecurity(dot)org |
| Subject: | Re: semaphore usage "port based"? |
| Date: | 2006-04-11 19:42:58 |
| Message-ID: | 200604111942.k3BJgw604841@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost wrote:
-- Start of PGP signed section.
> * Bruce Momjian (pgman(at)candle(dot)pha(dot)pa(dot)us) wrote:
> > <para>
> > + If running in FreeBSD jails by enabling <application>sysconf</>'s
> > + <literal>security.jail.sysvipc_allowed</>, <application>postmaster</>s
> > + running in different jails should be run by different operating system
> > + users. This improves security because it prevents one jail from
> > + interfering with shared memory or semaphores in another, and it
> > + allows the PostgreSQL IPC cleanup code to function properly.
> > + (In FreeBSD 6.0 and later the IPC cleanup code doesn't properly detect
> > + processes in other jails, preventing the running of postmasters on the
> > + same port in different jails.)
> > + </para>
>
> This looks good, my only comment would be that we don't want people to
> believe that using different users somehow makes the sysv spaces
> seperate between the jails. It doesn't. Even when using different
> uids, a user who gets root in one jail would be able to mess with the
> Postgres instance in the other jail through IPC.
>
> Perhaps change:
>
> "This improves security because it prevents one jail from
> interfering with shared memory or semaphores in another"
>
> to:
>
> "This improves security because it prevents the postgres user in one
> jail from interfering with shared memory or semaphores owned by a
> different user in another jail (with BSD jails, root, or the same
> UID, in any jail can see and interfere with the shared memory and
> semaphores in any other jail of the same UID, or all if root)"
>
> That's still not great but I think it's a little better...
I updated the wording to say 'non-root users':
If running in FreeBSD jails by enabling <application>sysconf</>'s
<literal>security.jail.sysvipc_allowed</>, <application>postmaster</>s
running in different jails should be run by different operating system
users. This improves security because it prevents non-root users
from interfering with shared memory or semaphores in a different jail,
and it allows the PostgreSQL IPC cleanup code to function properly.
(In FreeBSD 6.0 and later the IPC cleanup code doesn't properly detect
processes in other jails, preventing the running of postmasters on the
same port in different jails.)
--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2006-04-11 19:51:34 | Re: semaphore usage "port based"? |
| Previous Message | Stephen Frost | 2006-04-11 19:40:18 | Re: semaphore usage "port based"? |