Date: Tue, 31 Oct 2000 11:27:18 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: freebsd-stable@FreeBSD.org Subject: Heads up to jail() users in -STABLE Message-ID: <Pine.NEB.3.96L.1001031112044.58688t-100000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
The issue has been raised on -security that jail() doesn't virtualize the System V IPC namespace. This is not a security hole per se, as jail doesn't claim to address it, but it may have undesirable properties at some sites. Rather than leave it in its current "not well defined state", I recently committed changes to -CURRENT that disable access to System V IPC from within jails by default, restricting use of these features to the host environment, in effect collapsing it into a single host namespace. It can be turned back on again using the sysctl jail.sysvipc_allowed, and setting that MIB entry to 1. This means that operators will be surprised that their System V IPC application will simply fail to run in jail, instead of having odd interactions with other System V IPC applications in other jails, or in the host environment. For example, postgresql will now refuse to run in jail(). Most applications, however, will be unaffected by this change. This feature is documented in the jail.8 manpage (or will be in -STABLE when the backport occurs), so it will be easy for administrators to re-enable System V IPC if that is appropriate in their environment. I have received permission from the release engineer to backport this to -STABLE in time for the upcoming 4.2 release, and plan to do so this evening, pending reasonable objections. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1001031112044.58688t-100000>