Bug 819611 - [RFE] SAM 1.0 Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 and 0.0.0.0
[RFE] SAM 1.0 Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 a...
Status: CLOSED ERRATA
Product: Subscription Asset Manager
Classification: Red Hat
Component: katello-configure (Show other bugs)
1.0.0
All All
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Suchý
Og Maciel
: FutureFeature, Triaged
Depends On:
Blocks: sam12-tracker 820624 876492
  Show dependency treegraph
 
Reported: 2012-05-07 13:46 EDT by Kurt Seifried
Modified: 2013-02-21 14:16 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 820624 (view as bug list)
Environment:
Last Closed: 2013-02-21 14:16:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-05-07 13:46:39 EDT
Description of problem:

SAM 1.0 uses the PostgreSQL database. By default it listens on localhost (good) and all network IP's (bad). SAM only needs to talk to PostgreSQL locally, removing the network listening from all IP's would significantly reduce the attack surface of PostgreSQL with no impact to the SAM product. 

Assuming SAM keeps the config files in the normal locations simply edit:

/var/lib/pgsql/data/postgresql.conf 

and ensure the line 

listen_addresses = 'localhost'

is present. 

How reproducible:

Always

Steps to Reproduce:
1. Install SAM
2. netstat -vatn - postgresql is listneing on 0.0.0.0:5432
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Lukas Zapletal 2012-05-15 05:46:35 EDT
Yeah, this is valid request I guess. But I am testing it right now if it does not hurt us. Candlepin use PGSQL too, not sure if they both connect to localhost.
Comment 3 Lukas Zapletal 2012-07-31 03:22:13 EDT
Uh for some reson my pull request got deleted. Resubmitting again: https://github.com/Katello/katello/pull/403
Comment 4 Miroslav Suchý 2012-08-06 07:54:33 EDT
fixed in katello.git in commit aa6286b
Comment 6 Og Maciel 2012-10-09 16:40:23 EDT
It was not clear why the applied fix added a line that was commented out:

  grep "listen_address" /var/lib/pgsql/data/postgresql.conf 
  # "pg_ctl reload". Some settings, such as listen_addresses, require
  #listen_addresses = '*'


FailedQA using:

* candlepin-0.7.12-1.el6_3.noarch
* candlepin-tomcat6-0.7.12-1.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1h.el6_3.noarch
* katello-cli-common-1.1.10-1h.el6_3.noarch
* katello-cli-headpin-0.2.2-1.el6_2.noarch
* katello-common-1.1.14-2h.el6_3.noarch
* katello-configure-1.1.11-1h.el6_3.noarch
* katello-glue-candlepin-1.1.14-2h.el6_3.noarch
* katello-headpin-1.1.14-2h.el6_3.noarch
* katello-headpin-all-1.1.14-2h.el6_3.noarch
* katello-selinux-1.1.2-1h.el6_3.noarch
Comment 8 Og Maciel 2012-10-10 10:20:00 EDT
# netstat -putna | grep 5432
tcp        0      0 127.0.0.1:5432              0.0.0.0:*                   LISTEN      2790/postmaster     
tcp        0      0 127.0.0.1:5432              127.0.0.1:56061             ESTABLISHED 8737/postgres       
tcp        0      0 127.0.0.1:5432              127.0.0.1:56272             ESTABLISHED 9242/postgres       
tcp        0      0 127.0.0.1:5432              127.0.0.1:56430             ESTABLISHED 9820/postgres       
tcp        0      0 ::1:5432                    :::*                        LISTEN      2790/postmaster     
tcp        0      0 ::1:38356                   ::1:5432                    ESTABLISHED 8986/thin server (1 
tcp        0      0 ::1:5432                    ::1:38395                   ESTABLISHED 9163/postgres: kate 
tcp        0      0 ::1:38318                   ::1:5432                    ESTABLISHED 8945/thin server (1 
tcp        0      0 ::1:38489                   ::1:5432                    ESTABLISHED 9220/katello/delaye 
tcp        0      0 ::ffff:127.0.0.1:56272      ::ffff:127.0.0.1:5432       ESTABLISHED 8716/java           
tcp        0      0 ::1:5432                    ::1:35893                   ESTABLISHED 4373/postgres: kate 
tcp        0      0 ::1:5432                    ::1:38321                   ESTABLISHED 9123/postgres: kate 
tcp        0      0 ::1:35893                   ::1:5432                    ESTABLISHED 4361/katello/delaye 
tcp        0      0 ::1:5432                    ::1:38489                   ESTABLISHED 9222/postgres: kate 
tcp        0      0 ::ffff:127.0.0.1:56061      ::ffff:127.0.0.1:5432       ESTABLISHED 8716/java           
tcp        0      0 ::1:38311                   ::1:5432                    ESTABLISHED 8939/thin server (1 
tcp        0      0 ::1:5432                    ::1:38356                   ESTABLISHED 9143/postgres: kate 
tcp        0      0 ::ffff:127.0.0.1:56430      ::ffff:127.0.0.1:5432       ESTABLISHED 8716/java           
tcp        0      0 ::1:38321                   ::1:5432                    ESTABLISHED 8934/thin server (1 
tcp        0      0 ::1:5432                    ::1:38311                   ESTABLISHED 9113/postgres: kate 
tcp        0      0 ::1:38395                   ::1:5432                    ESTABLISHED 8967/thin server (1 
tcp        0      0 ::1:5432                    ::1:38318                   ESTABLISHED 9121/postgres: kate
Comment 9 Og Maciel 2012-10-10 11:06:04 EDT
As per Lukas recommendation I:

* service iptables stop
* telnet [my-system-ip] 5432
Trying [my-system-ip]...
telnet: connect to address [my-system-ip]: Connection refused
Comment 10 Og Maciel 2012-10-10 11:07:02 EDT
Verified:

* candlepin-0.7.12-1.el6_3.noarch
* candlepin-tomcat6-0.7.12-1.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1h.el6_3.noarch
* katello-cli-common-1.1.10-1h.el6_3.noarch
* katello-cli-headpin-0.2.2-1.el6_2.noarch
* katello-common-1.1.14-2h.el6_3.noarch
* katello-configure-1.1.11-1h.el6_3.noarch
* katello-glue-candlepin-1.1.14-2h.el6_3.noarch
* katello-headpin-1.1.14-2h.el6_3.noarch
* katello-headpin-all-1.1.14-2h.el6_3.noarch
* katello-selinux-1.1.2-1h.el6_3.noarch
Comment 12 errata-xmlrpc 2013-02-21 14:16:06 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0544.html

Note You need to log in before you can comment on or make changes to this bug.