Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Sep 2003 17:03:37 +0200
From:      "Michael Sig Birkmose" <birkmose@cs.auc.dk>
To:        <freebsd-stable@freebsd.org>
Subject:   jail + postgresql + System V IPC
Message-ID:  <007301c377ac$b76844d0$0301a8c0@mrwinslows>

next in thread | raw e-mail | index | archive | help
HI everyone,

I have resently installed a jail environment on my freebsd box, and had some
problems getting postgresql running under it.
After looking a bit on various mailinglists i figured out that I needed to
set jail.sysvipc_allowed to be 1 using sysctl in order to make postgresql
run.

However man jail gives me:

     jail.sysvipc_allowed
          This MIB entry determines whether or not processes within a jail
          have access to System V IPC primitives.  In the current jail
imple-
          mentation, System V primitives share a single namespace across the
          host and jail environments, meaning that processes within a jail
          would be able to communicate with (and potentially interfere with)
          processes outside of the jail, and in other jails.  As such, this
          functionality is disabled by default, but can be enabled by
setting
          this MIB entry to 1.


Reading this it sounds like setting jail.sysvipc_allowed=1 is a bad idea?
So I guess my question is, whether it is a big security risk to run
postgresql in a jail? And what if I am running postgresql in both the host
environment and the jailed environment? Will I bee asking for troubles? I
managed to get things running, and so far I haven't had problems, but I was
wondering if it is safe to run postgresql + jail. I have seen an ISP
offering freebsd jails, and they have a list regarding downsides of running
jail (such as you can't use ICMP, shared hardware etc etc). In this list
they also includes that you can't run postgresql. This just makes me wonder
even more if this cocktail is a good idea :)

Cheers,
-- 
Michael Birkmose



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007301c377ac$b76844d0$0301a8c0>