lister <lister@primetime.com> writes:
> At the BSDCan tutorial last week on jails (and several other times)
> there was discussion regarding Postgres's use of system V style
> shared memory, and an unfortunate side effect of making jail() less
> secure. Specifically, to allow Postgres to operate in a jail()ed
> environment, the sysctl :
> jail.sysvipc_allowed=1
> has to be set. This allows ALL jails to access the memory, at the least
> leaving Postgres open to attack, at the worst allowing a door into who
> knows what security breach.
> Question : is there any way to run Postgres securely in a jail?
By your definition, not unless you remove the dependence on SysV
shmem, which would be a lot of work.
-Doug