Bug 819611

Summary:	[RFE] SAM 1.0 Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 and 0.0.0.0
Product:	[Retired] Subscription Asset Manager	Reporter:	Kurt Seifried <kseifried>
Component:	katello-configure	Assignee:	Miroslav Suchý <msuchy>
Status:	CLOSED ERRATA	QA Contact:	Og Maciel <omaciel>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	1.0.0	CC:	bkearney, esammons, gkhachik, lzap, msuchy, omaciel, tkolhar, tomckay
Target Milestone:	rc	Keywords:	FutureFeature, Triaged
Target Release:	---
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:		Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:
Clones:	820624 (view as bug list)		Environment:
Last Closed:	2013-02-21 19:16:06 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	816564, 820624, 876492

Description Kurt Seifried 2012-05-07 17:46:39 UTC

Description of problem:

SAM 1.0 uses the PostgreSQL database. By default it listens on localhost (good) and all network IP's (bad). SAM only needs to talk to PostgreSQL locally, removing the network listening from all IP's would significantly reduce the attack surface of PostgreSQL with no impact to the SAM product. 

Assuming SAM keeps the config files in the normal locations simply edit:

/var/lib/pgsql/data/postgresql.conf 

and ensure the line 

listen_addresses = 'localhost'

is present. 

How reproducible:

Always

Steps to Reproduce:
1. Install SAM
2. netstat -vatn - postgresql is listneing on 0.0.0.0:5432
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Lukas Zapletal 2012-05-15 09:46:35 UTC

Yeah, this is valid request I guess. But I am testing it right now if it does not hurt us. Candlepin use PGSQL too, not sure if they both connect to localhost.

Comment 3 Lukas Zapletal 2012-07-31 07:22:13 UTC

Uh for some reson my pull request got deleted. Resubmitting again: https://github.com/Katello/katello/pull/403

Comment 4 Miroslav Suchý 2012-08-06 11:54:33 UTC

fixed in katello.git in commit aa6286b

Comment 6 Og Maciel 2012-10-09 20:40:23 UTC

It was not clear why the applied fix added a line that was commented out:

  grep "listen_address" /var/lib/pgsql/data/postgresql.conf 
  # "pg_ctl reload". Some settings, such as listen_addresses, require
  #listen_addresses = '*'


FailedQA using:

* candlepin-0.7.12-1.el6_3.noarch
* candlepin-tomcat6-0.7.12-1.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1h.el6_3.noarch
* katello-cli-common-1.1.10-1h.el6_3.noarch
* katello-cli-headpin-0.2.2-1.el6_2.noarch
* katello-common-1.1.14-2h.el6_3.noarch
* katello-configure-1.1.11-1h.el6_3.noarch
* katello-glue-candlepin-1.1.14-2h.el6_3.noarch
* katello-headpin-1.1.14-2h.el6_3.noarch
* katello-headpin-all-1.1.14-2h.el6_3.noarch
* katello-selinux-1.1.2-1h.el6_3.noarch

Comment 8 Og Maciel 2012-10-10 14:20:00 UTC

# netstat -putna | grep 5432
tcp        0      0 127.0.0.1:5432              0.0.0.0:*                   LISTEN      2790/postmaster     
tcp        0      0 127.0.0.1:5432              127.0.0.1:56061             ESTABLISHED 8737/postgres       
tcp        0      0 127.0.0.1:5432              127.0.0.1:56272             ESTABLISHED 9242/postgres       
tcp        0      0 127.0.0.1:5432              127.0.0.1:56430             ESTABLISHED 9820/postgres       
tcp        0      0 ::1:5432                    :::*                        LISTEN      2790/postmaster     
tcp        0      0 ::1:38356                   ::1:5432                    ESTABLISHED 8986/thin server (1 
tcp        0      0 ::1:5432                    ::1:38395                   ESTABLISHED 9163/postgres: kate 
tcp        0      0 ::1:38318                   ::1:5432                    ESTABLISHED 8945/thin server (1 
tcp        0      0 ::1:38489                   ::1:5432                    ESTABLISHED 9220/katello/delaye 
tcp        0      0 ::ffff:127.0.0.1:56272      ::ffff:127.0.0.1:5432       ESTABLISHED 8716/java           
tcp        0      0 ::1:5432                    ::1:35893                   ESTABLISHED 4373/postgres: kate 
tcp        0      0 ::1:5432                    ::1:38321                   ESTABLISHED 9123/postgres: kate 
tcp        0      0 ::1:35893                   ::1:5432                    ESTABLISHED 4361/katello/delaye 
tcp        0      0 ::1:5432                    ::1:38489                   ESTABLISHED 9222/postgres: kate 
tcp        0      0 ::ffff:127.0.0.1:56061      ::ffff:127.0.0.1:5432       ESTABLISHED 8716/java           
tcp        0      0 ::1:38311                   ::1:5432                    ESTABLISHED 8939/thin server (1 
tcp        0      0 ::1:5432                    ::1:38356                   ESTABLISHED 9143/postgres: kate 
tcp        0      0 ::ffff:127.0.0.1:56430      ::ffff:127.0.0.1:5432       ESTABLISHED 8716/java           
tcp        0      0 ::1:38321                   ::1:5432                    ESTABLISHED 8934/thin server (1 
tcp        0      0 ::1:5432                    ::1:38311                   ESTABLISHED 9113/postgres: kate 
tcp        0      0 ::1:38395                   ::1:5432                    ESTABLISHED 8967/thin server (1 
tcp        0      0 ::1:5432                    ::1:38318                   ESTABLISHED 9121/postgres: kate

Comment 9 Og Maciel 2012-10-10 15:06:04 UTC

As per Lukas recommendation I:

* service iptables stop
* telnet [my-system-ip] 5432
Trying [my-system-ip]...
telnet: connect to address [my-system-ip]: Connection refused

Comment 10 Og Maciel 2012-10-10 15:07:02 UTC

Verified:

* candlepin-0.7.12-1.el6_3.noarch
* candlepin-tomcat6-0.7.12-1.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1h.el6_3.noarch
* katello-cli-common-1.1.10-1h.el6_3.noarch
* katello-cli-headpin-0.2.2-1.el6_2.noarch
* katello-common-1.1.14-2h.el6_3.noarch
* katello-configure-1.1.11-1h.el6_3.noarch
* katello-glue-candlepin-1.1.14-2h.el6_3.noarch
* katello-headpin-1.1.14-2h.el6_3.noarch
* katello-headpin-all-1.1.14-2h.el6_3.noarch
* katello-selinux-1.1.2-1h.el6_3.noarch

Comment 12 errata-xmlrpc 2013-02-21 19:16:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0544.html