From Bugzilla Helper: User-Agent: Mozilla/4.73 [en] (X11; I; Linux 2.4.7 ppc) Description of problem: Using the default configuration of postgresql, the postmaster daemon binds to port 5432 on all IP addresses. This behavior cannot be changed, which makes hardening a box with postgresql installed on it impossible. From the postmaster daemon man page, the daemon will only bind using tcp sockets if the -i flag is passed (the default being unix domain sockets). Nowhere in the startup script has a -i been passed, which suggests that Redhat has patched postgresql to override the default secure behavior. In addition, it seems impossible to tell postgresql to bind to a specific IP address, making the default installation impossible to secure if the use of tcp sockets is necessary. How reproducible: Always Steps to Reproduce: 1. Install postgresql 2. Use nmap to scan all ports - port 5432 on all IP addresses is open Additional info:
It was not patched in any such way, which you can easily verify by looking at the SRPM. I can not reproduce it (a newer version, but no config changes affecting this has been made) either - also, note that you don't need "-i". You can configure it in /var/lib/pgsql/data/postgresql.conf with the same result. Finally, of course you can harden it - ipchains shot work just fine, if the app in question doesn't support binding to just one address. If you want that changed, suggest it on the postgresql-general mailing list.
> It was not patched in any such way, which you can easily verify by looking at > the SRPM. Was the /etc/rc.d/init.d/postgresql script written by the postgresql people or by redhat? Whoever wrote it defaulted the server startup to "wide open". > I can not reproduce it (a newer version, but no config changes affecting this > has been made) either - also, note that you don't need "-i". You can configure > it in /var/lib/pgsql/data/postgresql.conf with the same result. I can find no mention of this config file in any of the docs, nor is there an example config anywhere in the package. To reproduce it, install postgresql, start up the server, create a database, do an nmap scan - port 5432 will be open on all IP addresses. > Finally, of course you can harden it - ipchains shot work just fine, if the app > in question doesn't support binding to just one address. If you want that > changed, suggest it on the postgresql-general mailing list. ipchains is a bandaid - the port should not be open in the first place.