Re: semaphore usage "port based"? - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: semaphore usage "port based"? |
| Date | |
| Msg-id | 200604111927.k3BJRXH26498@candle.pha.pa.us Whole thread Raw |
| In response to | Re: semaphore usage "port based"? (Stephen Frost <sfrost@snowman.net>) |
| Responses |
Re: semaphore usage "port based"?
|
| List | pgsql-hackers |
[ FreeBSD email list removed.] I totally agree, and have added the attached documentation patch to recommend using different users in FreeBSD jails. --------------------------------------------------------------------------- Stephen Frost wrote: -- Start of PGP signed section. > * Marc G. Fournier (scrappy@postgresql.org) wrote: > > On Mon, 3 Apr 2006, Stephen Frost wrote: > > >Running the Postgres instances under different uids (as you'd probably > > >expect to do anyway if not using the jails) is probably the right > > >approach. Doing that and using jails would probably work, just don't > > >delude yourself into thinking that you're safe from a malicious user in > > >one jail. > > > > We don't ... we put all our databases on a central database server, even > > private ones, that nobody has shell access to ... we keep them isolated > > ... > > I guess what I was trying to get at is this: > > Running 2 Postgres instances under FreeBSD with (or without really, but > I guess that's more obvious) jails but with the same UID is a bad idea. > Even if Postgres could be modified to allow this to work you're going to > be in a position where the jail isn't really helping much except to give > a somewhat false (in this case) sense of security. We probably > shouldn't encourage it and in fact it's something of a nice feature that > it breaks. > > The reasoning is pretty simple: if someone manages to get control of > one of the Postgres instances they're going to be able to wreck havoc on > the other. With different UIDs, with or without jails, this would be > much more difficult (need to get root first). > > Running 2 Postgres instances under FreeBSD with jails *and* different > UIDs is *probably* better than w/o jails but since you have to enable > the single-instance IPC system it might not be that great of a benefit > over a simple chroot or similar. > > Hope that helps... > > Thanks, > > Stephen -- End of PGP section, PGP failed! -- Bruce Momjian http://candle.pha.pa.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/runtime.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v retrieving revision 1.366 diff -c -c -r1.366 runtime.sgml *** doc/src/sgml/runtime.sgml 3 Apr 2006 23:35:02 -0000 1.366 --- doc/src/sgml/runtime.sgml 11 Apr 2006 19:23:27 -0000 *************** *** 764,769 **** --- 764,781 ---- </para> <para> + If running in FreeBSD jails by enabling <application>sysconf</>'s + <literal>security.jail.sysvipc_allowed</>, <application>postmaster</>s + running in different jails should be run by different operating system + users. This improves security because it prevents one jail from + interfering with shared memory or semaphores in another, and it + allows the PostgreSQL IPC cleanup code to function properly. + (In FreeBSD 6.0 and later the IPC cleanup code doesn't properly detect + processes in other jails, preventing the running of postmasters on the + same port in different jails.) + </para> + + <para> <systemitem class="osname">FreeBSD</> versions before 4.0 work like <systemitem class="osname">NetBSD</> and <systemitem class="osname"> OpenBSD</> (see below).
pgsql-hackers by date: