Brendan Jurd wrote:
> On Dec 23, 2007 12:20 PM, Bruce Momjian <bruce@momjian.us> wrote:
> > Gurjeet Singh wrote:
> > > On Dec 22, 2007 6:25 AM, Bruce Momjian <bruce@momjian.us> wrote:
> > > This way, if the attacker has control of even one interface (and
> > > optionally the local socket) that the clients are expected to connect to,
> > > the postmaster wouldn't start and the attacker won't have any traffic to
> > > peek into.
> >
> > Yes, that would fix the problem I mentioned but at that point the
> > attacker already has passwords so they can just connect themselves.
> > Having the server fail if it can't get one interface makes the server
> > less reliable.
>
> It doesn't solve the spoofing attack problem, but isn't Gurjeet's idea
> a good one in any case?
>
> If the postmaster can't bind on one of the specified interfaces, then
> at the least, haven't you got got a serious configuration error the
> sysadmin would want to know about? Having postmaster fail seems like
> a sensible response.
>
> "I can't start with the configuration you've given me, so I won't
> start at all" is fairly normal behaviour for a server process, no?

Yes, we have talked about this in the past and there were concerns that
that the server might have some network problem that would prevent
binding on all interfaces, particularly IPv6.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

Bruce Momjian wrote:
>> "I can't start with the configuration you've given me, so I won't
>> start at all" is fairly normal behaviour for a server process, no?
>>
>
> Yes, we have talked about this in the past and there were concerns that
> that the server might have some network problem that would prevent
> binding on all interfaces, particularly IPv6.
>

This used to be our behaviour - IIRC we changed it along with the
listen_interfaces changes in 8.0 because we so frequently see
misconfigured networking.

I'm wondering if it might not be reasonable to restore it as switchable,
non-default behaviour.

cheers

andrew



---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq