lister <lister@xxxxxxxxxxxxx> writes: > At the BSDCan tutorial last week on jails (and several other times) > there was discussion regarding Postgres's use of system V style > shared memory, and an unfortunate side effect of making jail() less > secure. Specifically, to allow Postgres to operate in a jail()ed > environment, the sysctl : > jail.sysvipc_allowed=1 > has to be set. This allows ALL jails to access the memory, at the least > leaving Postgres open to attack, at the worst allowing a door into who > knows what security breach. > Question : is there any way to run Postgres securely in a jail? By your definition, not unless you remove the dependence on SysV shmem, which would be a lot of work. -Doug ---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
