Bug 819611 - [RFE] SAM 1.0 Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 and 0.0.0.0
Summary: [RFE] SAM 1.0 Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Subscription Asset Manager
Classification: Retired
Component: katello-configure
Version: 1.0.0
Hardware: All
OS: All
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Suchý
QA Contact: Og Maciel
URL:
Whiteboard:
Depends On:
Blocks: sam12-tracker 820624 876492
TreeView+ depends on / blocked
 
Reported: 2012-05-07 17:46 UTC by Kurt Seifried
Modified: 2013-02-21 19:16 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
: 820624 (view as bug list)
Environment:
Last Closed: 2013-02-21 19:16:06 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0544 0 normal SHIPPED_LIVE Important: Subscription Asset Manager 1.2 update 2013-02-26 04:08:04 UTC

Description Kurt Seifried 2012-05-07 17:46:39 UTC 
Description of problem:

SAM 1.0 uses the PostgreSQL database. By default it listens on localhost (good) and all network IP's (bad). SAM only needs to talk to PostgreSQL locally, removing the network listening from all IP's would significantly reduce the attack surface of PostgreSQL with no impact to the SAM product. 

Assuming SAM keeps the config files in the normal locations simply edit:

/var/lib/pgsql/data/postgresql.conf 

and ensure the line 

listen_addresses = 'localhost'

is present. 

How reproducible:

Always

Steps to Reproduce:
1. Install SAM
2. netstat -vatn - postgresql is listneing on 0.0.0.0:5432
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Lukas Zapletal 2012-05-15 09:46:35 UTC 
Yeah, this is valid request I guess. But I am testing it right now if it does not hurt us. Candlepin use PGSQL too, not sure if they both connect to localhost.
Comment 3 Lukas Zapletal 2012-07-31 07:22:13 UTC 
Uh for some reson my pull request got deleted. Resubmitting again: https://github.com/Katello/katello/pull/403
Comment 4 Miroslav Suchý 2012-08-06 11:54:33 UTC 
fixed in katello.git in commit aa6286b
Comment 6 Og Maciel 2012-10-09 20:40:23 UTC 
It was not clear why the applied fix added a line that was commented out:

  grep "listen_address" /var/lib/pgsql/data/postgresql.conf 
  # "pg_ctl reload". Some settings, such as listen_addresses, require
  #listen_addresses = '*'


FailedQA using:

* candlepin-0.7.12-1.el6_3.noarch
* candlepin-tomcat6-0.7.12-1.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1h.el6_3.noarch
* katello-cli-common-1.1.10-1h.el6_3.noarch
* katello-cli-headpin-0.2.2-1.el6_2.noarch
* katello-common-1.1.14-2h.el6_3.noarch
* katello-configure-1.1.11-1h.el6_3.noarch
* katello-glue-candlepin-1.1.14-2h.el6_3.noarch
* katello-headpin-1.1.14-2h.el6_3.noarch
* katello-headpin-all-1.1.14-2h.el6_3.noarch
* katello-selinux-1.1.2-1h.el6_3.noarch
Comment 8 Og Maciel 2012-10-10 14:20:00 UTC 
# netstat -putna | grep 5432
tcp        0      0 127.0.0.1:5432              0.0.0.0:*                   LISTEN      2790/postmaster     
tcp        0      0 127.0.0.1:5432              127.0.0.1:56061             ESTABLISHED 8737/postgres       
tcp        0      0 127.0.0.1:5432              127.0.0.1:56272             ESTABLISHED 9242/postgres       
tcp        0      0 127.0.0.1:5432              127.0.0.1:56430             ESTABLISHED 9820/postgres       
tcp        0      0 ::1:5432                    :::*                        LISTEN      2790/postmaster     
tcp        0      0 ::1:38356                   ::1:5432                    ESTABLISHED 8986/thin server (1 
tcp        0      0 ::1:5432                    ::1:38395                   ESTABLISHED 9163/postgres: kate 
tcp        0      0 ::1:38318                   ::1:5432                    ESTABLISHED 8945/thin server (1 
tcp        0      0 ::1:38489                   ::1:5432                    ESTABLISHED 9220/katello/delaye 
tcp        0      0 ::ffff:127.0.0.1:56272      ::ffff:127.0.0.1:5432       ESTABLISHED 8716/java           
tcp        0      0 ::1:5432                    ::1:35893                   ESTABLISHED 4373/postgres: kate 
tcp        0      0 ::1:5432                    ::1:38321                   ESTABLISHED 9123/postgres: kate 
tcp        0      0 ::1:35893                   ::1:5432                    ESTABLISHED 4361/katello/delaye 
tcp        0      0 ::1:5432                    ::1:38489                   ESTABLISHED 9222/postgres: kate 
tcp        0      0 ::ffff:127.0.0.1:56061      ::ffff:127.0.0.1:5432       ESTABLISHED 8716/java           
tcp        0      0 ::1:38311                   ::1:5432                    ESTABLISHED 8939/thin server (1 
tcp        0      0 ::1:5432                    ::1:38356                   ESTABLISHED 9143/postgres: kate 
tcp        0      0 ::ffff:127.0.0.1:56430      ::ffff:127.0.0.1:5432       ESTABLISHED 8716/java           
tcp        0      0 ::1:38321                   ::1:5432                    ESTABLISHED 8934/thin server (1 
tcp        0      0 ::1:5432                    ::1:38311                   ESTABLISHED 9113/postgres: kate 
tcp        0      0 ::1:38395                   ::1:5432                    ESTABLISHED 8967/thin server (1 
tcp        0      0 ::1:5432                    ::1:38318                   ESTABLISHED 9121/postgres: kate
Comment 9 Og Maciel 2012-10-10 15:06:04 UTC 
As per Lukas recommendation I:

* service iptables stop
* telnet [my-system-ip] 5432
Trying [my-system-ip]...
telnet: connect to address [my-system-ip]: Connection refused
Comment 10 Og Maciel 2012-10-10 15:07:02 UTC 
Verified:

* candlepin-0.7.12-1.el6_3.noarch
* candlepin-tomcat6-0.7.12-1.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1h.el6_3.noarch
* katello-cli-common-1.1.10-1h.el6_3.noarch
* katello-cli-headpin-0.2.2-1.el6_2.noarch
* katello-common-1.1.14-2h.el6_3.noarch
* katello-configure-1.1.11-1h.el6_3.noarch
* katello-glue-candlepin-1.1.14-2h.el6_3.noarch
* katello-headpin-1.1.14-2h.el6_3.noarch
* katello-headpin-all-1.1.14-2h.el6_3.noarch
* katello-selinux-1.1.2-1h.el6_3.noarch
Comment 12 errata-xmlrpc 2013-02-21 19:16:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0544.html
Note You need to log in before you can comment on or make changes to this bug.