Date: Sun, 2 Apr 2006 16:32:31 -0300 (ADT) From: "Marc G. Fournier" <scrappy@hub.org> To: Kris Kennaway <kris@obsecurity.org> Cc: freebsd-stable@freebsd.org Subject: Re: [FreeBSD 6] semctl broken compared to 4-STABLE ... Message-ID: <20060402162612.N947@ganymede.hub.org> In-Reply-To: <20060402191519.GA56599@xor.obsecurity.org> References: <20060402144704.S947@ganymede.hub.org> <20060402191519.GA56599@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Apr 2006, Kris Kennaway wrote: > On Sun, Apr 02, 2006 at 02:55:39PM -0300, Marc G. Fournier wrote: >> >> Back in April '05, someone posted a thread about PostgreSQL within FreeBSD >> jails: >> >> http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2005-04/0837.html >> >> At the time (and to date) I reported that I was running several PostgreSQL >> daemons, all on the same port, using FreeBSD 4.x, and all within a jail >> each ... and I continue to do this without any problems ... >> >> Today, on our new FreeBSD 6.x machine, I am now experiencing the same >> problem that Alexander originally reported ... >> >> Its not PostgreSQL related ... I'm running 4x7.4 servers on a FreeBSD 4.x >> box, all on the same port ... here, I'm trying to run 2x7.4 servers on a >> FreeBSD RELENG_6 box ... >> >> So, something has changed with FreeBSD 6's (and, according to the above >> thread, 5's) use of shared memory and semaphores that is breaking the >> ability to do this ... something that did work as hoped in FreeBSD 4 ... > > See jail(8)? If you are referring to: security.jail.sysvipc_allowed This MIB entry determines whether or not processes within a jail have access to System V IPC primitives. In the current jail imple- mentation, System V primitives share a single namespace across the host and jail environments, meaning that processes within a jail would be able to communicate with (and potentially interfere with) processes outside of the jail, and in other jails. As such, this functionality is disabled by default, but can be enabled by setting this MIB entry to 1. That wording hasn't changed since FreeBSD4.x, so you are saying that FreeBSD6.x has become *less* stable/secure in this regard then FreeBSD 4.x was? Seems an odd direction to go ... Please note, I'm not expecting FreeBSD 6.x to be *more* secure as far as namespaces are concerned for shared memory ... I'm just not expecting FreeBSD 6.x to create problems that didn't exist in 4.x :( And, by the fact that I have 17 PostgreSQL daemons, all running on port 5432, on my FreeBSD 4.x box right now, I *know* that this did work with 4.x ... ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060402162612.N947>