[ FreeBSD email list removed.]
I totally agree, and have added the attached documentation patch to
recommend using different users in FreeBSD jails.
---------------------------------------------------------------------------
Stephen Frost wrote:
-- Start of PGP signed section.
> * Marc G. Fournier ([EMAIL PROTECTED]) wrote:
> > On Mon, 3 Apr 2006, Stephen Frost wrote:
> > >Running the Postgres instances under different uids (as you'd probably
> > >expect to do anyway if not using the jails) is probably the right
> > >approach. Doing that and using jails would probably work, just don't
> > >delude yourself into thinking that you're safe from a malicious user in
> > >one jail.
> >
> > We don't ... we put all our databases on a central database server, even
> > private ones, that nobody has shell access to ... we keep them isolated
> > ...
>
> I guess what I was trying to get at is this:
>
> Running 2 Postgres instances under FreeBSD with (or without really, but
> I guess that's more obvious) jails but with the same UID is a bad idea.
> Even if Postgres could be modified to allow this to work you're going to
> be in a position where the jail isn't really helping much except to give
> a somewhat false (in this case) sense of security. We probably
> shouldn't encourage it and in fact it's something of a nice feature that
> it breaks.
>
> The reasoning is pretty simple: if someone manages to get control of
> one of the Postgres instances they're going to be able to wreck havoc on
> the other. With different UIDs, with or without jails, this would be
> much more difficult (need to get root first).
>
> Running 2 Postgres instances under FreeBSD with jails *and* different
> UIDs is *probably* better than w/o jails but since you have to enable
> the single-instance IPC system it might not be that great of a benefit
> over a simple chroot or similar.
>
> Hope that helps...
>
> Thanks,
>
> Stephen
-- End of PGP section, PGP failed!
--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
retrieving revision 1.366
diff -c -c -r1.366 runtime.sgml
*** doc/src/sgml/runtime.sgml 3 Apr 2006 23:35:02 -0000 1.366
--- doc/src/sgml/runtime.sgml 11 Apr 2006 19:23:27 -0000
***************
*** 764,769 ****
--- 764,781 ----
</para>
<para>
+ If running in FreeBSD jails by enabling <application>sysconf</>'s
+ <literal>security.jail.sysvipc_allowed</>, <application>postmaster</>s
+ running in different jails should be run by different operating system
+ users. This improves security because it prevents one jail from
+ interfering with shared memory or semaphores in another, and it
+ allows the PostgreSQL IPC cleanup code to function properly.
+ (In FreeBSD 6.0 and later the IPC cleanup code doesn't properly detect
+ processes in other jails, preventing the running of postmasters on the
+ same port in different jails.)
+ </para>
+
+ <para>
<systemitem class="osname">FreeBSD</> versions before 4.0 work like
<systemitem class="osname">NetBSD</> and <systemitem class="osname">
OpenBSD</> (see below).
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
