[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Limiting SysV-IPC to certain jails



Hi,

I found no documentation on limiting SysV-IPC to a certain (set of)
jail(s), so I went ahead and came up with the following hack.

1. Putting the following snippet into /etc/rc.conf:
jail_sysvipc_allow="${jail_sysvipc_allow_override:-NO}"

2. Adding the following snippet to /usr/local/etc/ezjail/postgres_or_whatever
export jail_sysvipc_allow_override="YES"

This solves the problem, but is still rather ugly. I don't know, if
nobody has done this before, it might be useful for somebody, which is
why I'm posting it to this list. I don't want to allow SysV-IPC for all
jails, because it allows one jail to corrupt another one's memory (e.g.
when two jails are running postgres under the same UID.)

Maybe somebody comes up with a better way to do this (or fixes SysV-IPC
in jailed environments, or, even better, can tell me how to make
postgres not use SysV-IPC in the first place).


Best regards,

Moritz