Bug#318820: postgresql-8.0: listen_addresses shouldn't bind to all interfaces
reassign 318820 postgresql-common found 318820 26 thanks Hi Peter! Peter Eisentraut [2005-09-26 10:45 +0200]: I want to add what the idea behind this setting is: The authentication checks in pg_hba.conf are done at a rather late stage of creating the connection. If the server accepts TCP connections from anyone on the Internet, it's trivial to DOS the PostgreSQL server. The current installation default in the Debian package is therefore a gaping security hole. The default setting is therefore to not make the database server visible on external interfaces. The comparison with Apache and SSH is flawed because those services are designed to operate on the open Internet whereas PostgreSQL is definitely not designed for that. Oh, that's good to know. I just kept this since this has been the default since woody. Well, but if upstream says it's not safe enough, who am I to disagree... Ok, I'll change the default in the next postgresql-common upload (I'm glad that this does not require me to change three server package versions any more :-) ). The new default will affect only new clusters, though; I cannot and don't want to change already existing ones. Martin -- Martin Pitthttp://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates? signature.asc Description: Digital signature
Bug#318820: postgresql-8.0: listen_addresses shouldn't bind to all interfaces
I want to add what the idea behind this setting is: The authentication checks in pg_hba.conf are done at a rather late stage of creating the connection. If the server accepts TCP connections from anyone on the Internet, it's trivial to DOS the PostgreSQL server. The current installation default in the Debian package is therefore a gaping security hole. The default setting is therefore to not make the database server visible on external interfaces. The comparison with Apache and SSH is flawed because those services are designed to operate on the open Internet whereas PostgreSQL is definitely not designed for that. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#318820: postgresql-8.0: listen_addresses shouldn't bind to all interfaces
Package: postgresql-8.0 Version: 8.0.3-10 Severity: important Hi, looking at the default mysql config I wonder why postgresql-8.0 binds to any interface it can find. Wouldn't it be better to bind just to localhost, so that the server is not automatically exposed in the network (that may include the internet)? Andreas -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-cherry+noradeon+8139c+ Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages postgresql-8.0 depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libcomerr2 1.38-1 common error description library ii libkrb531.3.6-4 MIT Kerberos runtime libraries ii libpam0g0.76-23 Pluggable Authentication Modules l ii libpq4 8.0.3-10 PostgreSQL C client library ii libreadline55.0-10 GNU readline and history libraries ii libssl0.9.7 0.9.7g-1 SSL shared libraries ii postgresql-client-8.0 8.0.3-10 front-end programs for PostgreSQL ii postgresql-common 22 manager for PostgreSQL database cl ii zlib1g 1:1.2.2-9compression library - runtime postgresql-8.0 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]