* Mischa Sandberg ([EMAIL PROTECTED]) wrote: > Here (@sophos.com) we run machine cluster tests using FreeBSD jails. A > jail is halfway between a chroot and a VM. Jails blow a number of > assumptions about a unix environment: sysv ipc's are global to all > jails; but a process can only "see" other processes also running in the > jail. In fact, the quickest way to tell whether you're running in a jail > is to test for process 1.
I've got a couple of concerns about this-
#1: Having the shared memory be global is a rather large problem when it
comes to something like PG which can have a fair bit of data going
through that area that could be sensitive.
#2: Isn't there already a uid check that's done? Wouldn't this make
more sense anyway (and hopefully minimize the impact of a bad person
getting control of the PG database/user in a given jail)?
#3: At least in the linux-equivilant to jails (linux-vservers, imv
anyway), they started w/o an init process and eventually decided it
made sense to have one, so I'm not sure that this test will always
work and the result might catch someone by suprise at some later
date. Is there a better/more explicit test?
Thanks,
Stephen
signature.asc
Description: Digital signature
