[removing to hackers as it is of general interest]
Tom Lane wrote:
Andrew Dunstan wrote:
That seems to me to get as close as reasonably possible to the Unix behaviour. I don't think that always allowing localhost connections on Windows is a big security risk.
Is it a big security risk anywhere? Perhaps there is a case to be made that on all platforms, "-i" should enable or disable only nonlocal connections. Without -i we'd only allow binding to loopback ports (either IP4 or IP6).
Aside from keeping the Windows and Unix behaviors similar, this would be of some positive benefit for people who use TCP-only clients. They'd not have to remember to set -i anymore, unless they want remote access.
In response to Andrew's table, here's what I'm visualizing:
* No -i: bind only to loopback addresses (both IP4 and IP6 if available). * With -i, but not virtual_host: bind to all available addresses. * With -i and virtual_host: bind to specified address(es) only.
(Note this is orthogonal to pg_hba.conf checks; we are talking about what socket addresses the postmaster listens on.)
I don't have a strong feeling about the case of virtual_host without -i.
The above says to ignore virtual_host, but maybe we should instead
ignore the lack of -i and do what virtual_host says.
This slipped off my radar. I have just spent a little while thinking about it. How about this: we replace tcpip_socket and virtual_host with a new var called listen_addresses, which can have values of "local", "all", or a list of addresses? The default would be "local" and -i would correspond to "all".
Yes, I know it's not backwards compatible, but we just went through that argument with log_line_prefix ;-)
Actually, if we wanted to go the whole hog with virtual hosting we'd allow per-address port specification, like apache does, but maybe that's something to be left for another day ;-)
cheers
andrew
---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
