Hi there,
I looked around about jail_sysvipc_allow in jails and found some hints about a possible danger in enabling shared memory, because it's shared in the host and other jails as well and not only in one specific jail. So far so good. On the other hand we know it's needed for postgresql to run and in some jails I need postgresql.
So, are there some articles about a specific risk, about ways the shared mem was used to compromise other jails? Is there a way to limit this risk while I keep jail_sysvipc_allow enabled?
I just want to know more to hopefully get an idea how risky it is at all. Atm I saw hints about a risk but I found no article going deeper into this.
Btw. could BSD mmap raise the same risk?
The only thing I found is this http://serverfault.com/questions/15...ions-of-using-allow-sysvipc-in-a-freebsd-jail which tells what I already expected. Is there more that is widely known?
Many thanks in advance!
Jimmy
I looked around about jail_sysvipc_allow in jails and found some hints about a possible danger in enabling shared memory, because it's shared in the host and other jails as well and not only in one specific jail. So far so good. On the other hand we know it's needed for postgresql to run and in some jails I need postgresql.
So, are there some articles about a specific risk, about ways the shared mem was used to compromise other jails? Is there a way to limit this risk while I keep jail_sysvipc_allow enabled?
I just want to know more to hopefully get an idea how risky it is at all. Atm I saw hints about a risk but I found no article going deeper into this.
Btw. could BSD mmap raise the same risk?
The only thing I found is this http://serverfault.com/questions/15...ions-of-using-allow-sysvipc-in-a-freebsd-jail which tells what I already expected. Is there more that is widely known?
Many thanks in advance!
Jimmy
