Re: semaphore usage "port based"?

* Marc G. Fournier (scrappy(at)postgresql(dot)org) wrote:
> On Mon, 3 Apr 2006, Stephen Frost wrote:
> >Running the Postgres instances under different uids (as you'd probably
> >expect to do anyway if not using the jails) is probably the right
> >approach. Doing that and using jails would probably work, just don't
> >delude yourself into thinking that you're safe from a malicious user in
> >one jail.
>
> We don't ... we put all our databases on a central database server, even
> private ones, that nobody has shell access to ... we keep them isolated
> ...

I guess what I was trying to get at is this:

Running 2 Postgres instances under FreeBSD with (or without really, but
I guess that's more obvious) jails but with the same UID is a bad idea.
Even if Postgres could be modified to allow this to work you're going to
be in a position where the jail isn't really helping much except to give
a somewhat false (in this case) sense of security. We probably
shouldn't encourage it and in fact it's something of a nice feature that
it breaks.

The reasoning is pretty simple: if someone manages to get control of
one of the Postgres instances they're going to be able to wreck havoc on
the other. With different UIDs, with or without jails, this would be
much more difficult (need to get root first).

Running 2 Postgres instances under FreeBSD with jails *and* different
UIDs is *probably* better than w/o jails but since you have to enable
the single-instance IPC system it might not be that great of a benefit
over a simple chroot or similar.

Hope that helps...

Thanks,

Stephen