Stephen Frost wrote:
-- Start of PGP signed section.
> * Bruce Momjian (pgman@candle.pha.pa.us) wrote:
> > I updated the wording to say 'non-root users':
> >
> > If running in FreeBSD jails by enabling <application>sysconf</>'s
> > <literal>security.jail.sysvipc_allowed</>, <application>postmaster</>s
> > running in different jails should be run by different operating system
> > users. This improves security because it prevents non-root users
> > from interfering with shared memory or semaphores in a different jail,
> > and it allows the PostgreSQL IPC cleanup code to function properly.
> > (In FreeBSD 6.0 and later the IPC cleanup code doesn't properly detect
> > processes in other jails, preventing the running of postmasters on the
> > same port in different jails.)
>
> You're still saying it'll do something that it won't... It doesn't
> prevent non-root users from messing with each other if they're the same
> UID, even if they're under different jails... That's the whole problem
> here. :)
Uh, the first part says use different Unix users for different jails,
then it says why to do that (security). Seems clear to me.
-- Bruce Momjian http://candle.pha.pa.us EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +