Package: postgresql-11
Version: 11.5-1.pgdg100+1
When I manually launch a postgres server using the -h flag to specify
the IP that the server listen on, it is not respected. Instead the
requested port is bound on all IPs for the given machine.
$ ip address | grep "inet "
inet 127.0.0.1/8 scope host lo
inet 172.27.16.50/24 brd 172.27.16.255 scope global dynamic
noprefixroute wlp0s20f3
$ nmap -p 1045 172.27.16.50
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-20 14:13 CDT
Nmap scan report for 172.27.16.50
Host is up (0.000053s latency).
PORT STATE SERVICE
1045/tcp closed fpitp
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
$ # launch postgres (in another terminal)
$ /usr/lib/postgresql/11/bin/postgres \
-h127.0.0.1 \
-p1045 \
-D/home/[redacted]/postgres \
-k/home/[redacted]/postgres \
-i;
$ nmap -p 1045 172.27.16.50
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-20 14:17 CDT
Nmap scan report for 172.27.16.50
Host is up (0.000048s latency).
PORT STATE SERVICE
1045/tcp open fpitp
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
The same incorrect behavior (listening on all IPs) occurs when setting
`listen_addresses='127.0.0.1'` in postgresql.conf. Instead, I would
except postgres to only listen on the requested IPs. This is a
reasonably serious error as it could potentially expose a postgres
server to a public network when it is expected to only find to a
private network.
I am using Debian GNU/Linux Buster 10.0 with kernel 4.19.0-5-amd64.
Best,
-Andy
