Your message dated Mon, 23 Sep 2019 17:06:40 +0200
with message-id <[email protected]>
and subject line Re: Bug#940844: listen_addresses / -h flag not respected
has caused the Debian Bug report #940844,
regarding listen_addresses / -h flag not respected
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
940844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940844
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: postgresql-11
Version: 11.5-1.pgdg100+1
When I manually launch a postgres server using the -h flag to specify
the IP that the server listen on, it is not respected. Instead the
requested port is bound on all IPs for the given machine.
$ ip address | grep "inet "
inet 127.0.0.1/8 scope host lo
inet 172.27.16.50/24 brd 172.27.16.255 scope global dynamic
noprefixroute wlp0s20f3
$ nmap -p 1045 172.27.16.50
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-20 14:13 CDT
Nmap scan report for 172.27.16.50
Host is up (0.000053s latency).
PORT STATE SERVICE
1045/tcp closed fpitp
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
$ # launch postgres (in another terminal)
$ /usr/lib/postgresql/11/bin/postgres \
-h127.0.0.1 \
-p1045 \
-D/home/[redacted]/postgres \
-k/home/[redacted]/postgres \
-i;
$ nmap -p 1045 172.27.16.50
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-20 14:17 CDT
Nmap scan report for 172.27.16.50
Host is up (0.000048s latency).
PORT STATE SERVICE
1045/tcp open fpitp
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
The same incorrect behavior (listening on all IPs) occurs when setting
`listen_addresses='127.0.0.1'` in postgresql.conf. Instead, I would
except postgres to only listen on the requested IPs. This is a
reasonably serious error as it could potentially expose a postgres
server to a public network when it is expected to only find to a
private network.
I am using Debian GNU/Linux Buster 10.0 with kernel 4.19.0-5-amd64.
Best,
-Andy
--- End Message ---
--- Begin Message ---
Re: Hochhaus, Andy 2019-09-20
<CAAhqAFrsOHp2bdz+ETNd6Xv-7Fv5KcC=u2j_srn9ohgutas...@mail.gmail.com>
> $ # launch postgres (in another terminal)
> $ /usr/lib/postgresql/11/bin/postgres \
> -h127.0.0.1 \
> -p1045 \
> -D/home/[redacted]/postgres \
> -k/home/[redacted]/postgres \
> -i;
Hi Andy,
you shouldn't use "-h" and "-i" at the same time:
-i
Allows remote clients to connect via TCP/IP (Internet domain)
connections. Without this option, only local connections are
accepted. This option is equivalent to setting listen_addresses to *
in postgresql.conf or via -h.
This option is deprecated since it does not allow access to the full
functionality of listen_addresses. It's usually better
to set listen_addresses directly.
Christoph
--- End Message ---
