Date: Mon, 3 Apr 2006 15:45:24 -0400 From: Kris Kennaway <kris@obsecurity.org> To: Tom Lane <tgl@sss.pgh.pa.us>, Robert Watson <rwatson@FreeBSD.org>, "Marc G. Fournier" <scrappy@postgresql.org>, Kris Kennaway <kris@obsecurity.org>, freebsd-stable@FreeBSD.org, pgsql-hackers@postgresql.org Subject: Re: [HACKERS] semaphore usage "port based"? Message-ID: <20060403194524.GA58237@xor.obsecurity.org> In-Reply-To: <20060403194251.GF4474@ns.snowman.net> References: <20060402225204.U947@ganymede.hub.org> <26985.1144029657@sss.pgh.pa.us> <20060402231232.C947@ganymede.hub.org> <27148.1144030940@sss.pgh.pa.us> <20060402232832.M947@ganymede.hub.org> <20060402234459.Y947@ganymede.hub.org> <27417.1144033691@sss.pgh.pa.us> <20060403164139.D36756@fledge.watson.org> <14654.1144082224@sss.pgh.pa.us> <20060403194251.GF4474@ns.snowman.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 03, 2006 at 03:42:51PM -0400, Stephen Frost wrote: > * Tom Lane (tgl@sss.pgh.pa.us) wrote: > > That's a fair question, but in the context of the code I believe we are > > behaving reasonably. The reason this code exists is to provide some > > insurance against leaking semaphores when a postmaster process is > > terminated unexpectedly (ye olde often-recommended-against "kill -9 > > postmaster", for instance). If the PID returned by GETPID is >=20 > Could this be handled sensibly by using SEM_UNDO? Just a thought. >=20 > > So I think the code is pretty bulletproof as long as it's in a system > > that is behaving per SysV spec. The problem in the current FBSD > > situation is that the jail mechanism is exposing semaphore sets across > > jails, but not exposing the existence of the owning processes. That > > behavior is inconsistent: if process A can affect the state of a sema > > set that process B can see, it's surely unreasonable to pretend that A > > doesn't exist. >=20 > This is certainly a problem with FBSD jails... Not only the > inconsistancy, but what happens if someone manages to get access to the > appropriate uid under one jail and starts sniffing or messing with the > semaphores or shared memory segments from other jails? If that's > possible then that's a rather glaring security problem... This was stated already upthread, but sysv IPC is disabled by default in jails for precisely this reason. So yes, when you turn it on it's a potential security problem if your jails are supposed to be compartmentalized. Kris --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEMXtTWry0BWjoQKURAv7kAJ44Pj6OEpKv4XMRRVe8gB5UrNUadACg32mb 7osslD45n6MSY2TeF1tQNAI= =uj9p -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060403194524.GA58237>