Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Apr 2006 23:37:33 +0100 (BST)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Stephen Frost <sfrost@snowman.net>
Cc:        Tom Lane <tgl@sss.pgh.pa.us>, "Marc G. Fournier" <scrappy@postgresql.org>, pgsql-hackers@postgresql.org, freebsd-stable@FreeBSD.org, Kris Kennaway <kris@obsecurity.org>
Subject:   Re: [HACKERS] semaphore usage "port based"?
Message-ID:  <20060403233540.D76562@fledge.watson.org>
In-Reply-To: <20060403194251.GF4474@ns.snowman.net>
References:  <26796.1144028094@sss.pgh.pa.us> <20060402225204.U947@ganymede.hub.org> <26985.1144029657@sss.pgh.pa.us> <20060402231232.C947@ganymede.hub.org> <27148.1144030940@sss.pgh.pa.us> <20060402232832.M947@ganymede.hub.org> <20060402234459.Y947@ganymede.hub.org> <27417.1144033691@sss.pgh.pa.us> <20060403164139.D36756@fledge.watson.org> <14654.1144082224@sss.pgh.pa.us> <20060403194251.GF4474@ns.snowman.net>

next in thread | previous in thread | raw e-mail | index | archive | help

On Mon, 3 Apr 2006, Stephen Frost wrote:

>> So I think the code is pretty bulletproof as long as it's in a system that 
>> is behaving per SysV spec.  The problem in the current FBSD situation is 
>> that the jail mechanism is exposing semaphore sets across jails, but not 
>> exposing the existence of the owning processes.  That behavior is 
>> inconsistent: if process A can affect the state of a sema set that process 
>> B can see, it's surely unreasonable to pretend that A doesn't exist.
>
> This is certainly a problem with FBSD jails...  Not only the inconsistancy, 
> but what happens if someone manages to get access to the appropriate uid 
> under one jail and starts sniffing or messing with the semaphores or shared 
> memory segments from other jails?  If that's possible then that's a rather 
> glaring security problem...

This is why it's disabled by default, and the jail documentation specifically 
advises of this possibility.  Excerpt below.

Robert N M Watson

      security.jail.sysvipc_allowed
           This MIB entry determines whether or not processes within a jail
           have access to System V IPC primitives.  In the current jail imple-
           mentation, System V primitives share a single namespace across the
           host and jail environments, meaning that processes within a jail
           would be able to communicate with (and potentially interfere with)
           processes outside of the jail, and in other jails.  As such, this
           functionality is disabled by default, but can be enabled by setting
           this MIB entry to 1.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060403233540.D76562>