lister <lister@xxxxxxxxxxxxx> writes: > At the BSDCan tutorial last week on jails (and several other times) > there was discussion regarding Postgres's use of system V style > shared memory, and an unfortunate side effect of making jail() less > secure. Specifically, to allow Postgres to operate in a jail()ed > environment, the sysctl : > jail.sysvipc_allowed=1 > has to be set. This allows ALL jails to access the memory, at the least > leaving Postgres open to attack, at the worst allowing a door into who > knows what security breach. This claim is really pretty bogus, since there is still standard file-permission-like security on the shared memory. Only if you give usage of the postgres account to processes running in other jails is there any risk. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
