Re: [HACKERS] Min value for port

2013-06-27 Thread Christopher Browne
On Thu, Jun 27, 2013 at 9:22 AM, Andres Freund wrote:

> On 2013-06-27 15:11:26 +0200, Magnus Hagander wrote:
> > On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut 
> wrote:
> > > On 6/27/13 6:34 AM, Magnus Hagander wrote:
> > >> Is there a reason why we have set the min allowed value for port to 1,
> > >> not 1024? Given that you can't actually start postgres with a value of
> > >> <1024, shoulnd't the entry in pg_settings reference that as well?
> > >
> > > Are you thinking of the restriction that you need to be root to use
> > > ports <1024?  That restriction is not necessarily universal.  We can
> let
> > > the kernel tell us at run time if it doesn't like our port.
> >
> > Yes, that's the restriction I was talking about. It's just a bit
> > annoying that if you look at pg_settings.min_value it doesn't actually
> > tell you the truth. But yeah, I believe Windows actually lets you use
> > a lower port number, so it'd at least have to be #ifdef'ed for that if
> > we wanted to change it.
>
> You can easily change the setting on linux as well. And you can grant
> specific binaries the permission to bind to restricted ports without
> being root.
> I don't think the additional complexity to get a sensible value in there
> is warranted.
>

With that large a set of local policies that can change the "usual
< 1024" policy, yep, I agree that it's not worth trying too hard on this
one.

And supposing something like SE-Linux can grant bindings for a particular
user/binary to access a *specific* port, that represents a model that is
pretty incompatible with the notion of a "minimum value."

On the one hand, the idea of having to add a lot of platform-specific
code (which may further be specific to a framework like SE-Linux)
is not terribly appealing.

Further, if the result is something that doesn't really fit with a
"minimum,"
is it much worth fighting with the platform localities?

Indeed, I begin to question whether indicating a "minimum" is actually
meaningful.
-- 
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"


Re: [HACKERS] Min value for port

2013-06-27 Thread Andres Freund
On 2013-06-27 15:11:26 +0200, Magnus Hagander wrote:
> On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut  wrote:
> > On 6/27/13 6:34 AM, Magnus Hagander wrote:
> >> Is there a reason why we have set the min allowed value for port to 1,
> >> not 1024? Given that you can't actually start postgres with a value of
> >> <1024, shoulnd't the entry in pg_settings reference that as well?
> >
> > Are you thinking of the restriction that you need to be root to use
> > ports <1024?  That restriction is not necessarily universal.  We can let
> > the kernel tell us at run time if it doesn't like our port.
> 
> Yes, that's the restriction I was talking about. It's just a bit
> annoying that if you look at pg_settings.min_value it doesn't actually
> tell you the truth. But yeah, I believe Windows actually lets you use
> a lower port number, so it'd at least have to be #ifdef'ed for that if
> we wanted to change it.

You can easily change the setting on linux as well. And you can grant
specific binaries the permission to bind to restricted ports without
being root.
I don't think the additional complexity to get a sensible value in there
is warranted.

Greetings,

Andres Freund

-- 
 Andres Freund http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers


Re: [HACKERS] Min value for port

2013-06-27 Thread Jan UrbaƄski

On 27/06/13 15:11, Magnus Hagander wrote:

On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut  wrote:

On 6/27/13 6:34 AM, Magnus Hagander wrote:

Is there a reason why we have set the min allowed value for port to 1,
not 1024? Given that you can't actually start postgres with a value of
<1024, shoulnd't the entry in pg_settings reference that as well?


Are you thinking of the restriction that you need to be root to use
ports <1024?  That restriction is not necessarily universal.  We can let
the kernel tell us at run time if it doesn't like our port.


Yes, that's the restriction I was talking about. It's just a bit
annoying that if you look at pg_settings.min_value it doesn't actually
tell you the truth. But yeah, I believe Windows actually lets you use
a lower port number, so it'd at least have to be #ifdef'ed for that if
we wanted to change it.


There's also authbind and CAP_NET_BIND_SERVICE.

Jan


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers


Re: [HACKERS] Min value for port

2013-06-27 Thread Magnus Hagander
On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut  wrote:
> On 6/27/13 6:34 AM, Magnus Hagander wrote:
>> Is there a reason why we have set the min allowed value for port to 1,
>> not 1024? Given that you can't actually start postgres with a value of
>> <1024, shoulnd't the entry in pg_settings reference that as well?
>
> Are you thinking of the restriction that you need to be root to use
> ports <1024?  That restriction is not necessarily universal.  We can let
> the kernel tell us at run time if it doesn't like our port.

Yes, that's the restriction I was talking about. It's just a bit
annoying that if you look at pg_settings.min_value it doesn't actually
tell you the truth. But yeah, I believe Windows actually lets you use
a lower port number, so it'd at least have to be #ifdef'ed for that if
we wanted to change it.


--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers


Re: [HACKERS] Min value for port

2013-06-27 Thread Peter Eisentraut
On 6/27/13 6:34 AM, Magnus Hagander wrote:
> Is there a reason why we have set the min allowed value for port to 1,
> not 1024? Given that you can't actually start postgres with a value of
> <1024, shoulnd't the entry in pg_settings reference that as well?

Are you thinking of the restriction that you need to be root to use
ports <1024?  That restriction is not necessarily universal.  We can let
the kernel tell us at run time if it doesn't like our port.




-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers


[HACKERS] Min value for port

2013-06-27 Thread Magnus Hagander
Is there a reason why we have set the min allowed value for port to 1,
not 1024? Given that you can't actually start postgres with a value of
<1024, shoulnd't the entry in pg_settings reference that as well?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers