Re: [HACKERS] Min value for port
On Thu, Jun 27, 2013 at 9:22 AM, Andres Freund wrote: > On 2013-06-27 15:11:26 +0200, Magnus Hagander wrote: > > On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut > wrote: > > > On 6/27/13 6:34 AM, Magnus Hagander wrote: > > >> Is there a reason why we have set the min allowed value for port to 1, > > >> not 1024? Given that you can't actually start postgres with a value of > > >> <1024, shoulnd't the entry in pg_settings reference that as well? > > > > > > Are you thinking of the restriction that you need to be root to use > > > ports <1024? That restriction is not necessarily universal. We can > let > > > the kernel tell us at run time if it doesn't like our port. > > > > Yes, that's the restriction I was talking about. It's just a bit > > annoying that if you look at pg_settings.min_value it doesn't actually > > tell you the truth. But yeah, I believe Windows actually lets you use > > a lower port number, so it'd at least have to be #ifdef'ed for that if > > we wanted to change it. > > You can easily change the setting on linux as well. And you can grant > specific binaries the permission to bind to restricted ports without > being root. > I don't think the additional complexity to get a sensible value in there > is warranted. > With that large a set of local policies that can change the "usual < 1024" policy, yep, I agree that it's not worth trying too hard on this one. And supposing something like SE-Linux can grant bindings for a particular user/binary to access a *specific* port, that represents a model that is pretty incompatible with the notion of a "minimum value." On the one hand, the idea of having to add a lot of platform-specific code (which may further be specific to a framework like SE-Linux) is not terribly appealing. Further, if the result is something that doesn't really fit with a "minimum," is it much worth fighting with the platform localities? Indeed, I begin to question whether indicating a "minimum" is actually meaningful. -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?"
Re: [HACKERS] Min value for port
On 2013-06-27 15:11:26 +0200, Magnus Hagander wrote: > On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut wrote: > > On 6/27/13 6:34 AM, Magnus Hagander wrote: > >> Is there a reason why we have set the min allowed value for port to 1, > >> not 1024? Given that you can't actually start postgres with a value of > >> <1024, shoulnd't the entry in pg_settings reference that as well? > > > > Are you thinking of the restriction that you need to be root to use > > ports <1024? That restriction is not necessarily universal. We can let > > the kernel tell us at run time if it doesn't like our port. > > Yes, that's the restriction I was talking about. It's just a bit > annoying that if you look at pg_settings.min_value it doesn't actually > tell you the truth. But yeah, I believe Windows actually lets you use > a lower port number, so it'd at least have to be #ifdef'ed for that if > we wanted to change it. You can easily change the setting on linux as well. And you can grant specific binaries the permission to bind to restricted ports without being root. I don't think the additional complexity to get a sensible value in there is warranted. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Min value for port
On 27/06/13 15:11, Magnus Hagander wrote: On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut wrote: On 6/27/13 6:34 AM, Magnus Hagander wrote: Is there a reason why we have set the min allowed value for port to 1, not 1024? Given that you can't actually start postgres with a value of <1024, shoulnd't the entry in pg_settings reference that as well? Are you thinking of the restriction that you need to be root to use ports <1024? That restriction is not necessarily universal. We can let the kernel tell us at run time if it doesn't like our port. Yes, that's the restriction I was talking about. It's just a bit annoying that if you look at pg_settings.min_value it doesn't actually tell you the truth. But yeah, I believe Windows actually lets you use a lower port number, so it'd at least have to be #ifdef'ed for that if we wanted to change it. There's also authbind and CAP_NET_BIND_SERVICE. Jan -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Min value for port
On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut wrote: > On 6/27/13 6:34 AM, Magnus Hagander wrote: >> Is there a reason why we have set the min allowed value for port to 1, >> not 1024? Given that you can't actually start postgres with a value of >> <1024, shoulnd't the entry in pg_settings reference that as well? > > Are you thinking of the restriction that you need to be root to use > ports <1024? That restriction is not necessarily universal. We can let > the kernel tell us at run time if it doesn't like our port. Yes, that's the restriction I was talking about. It's just a bit annoying that if you look at pg_settings.min_value it doesn't actually tell you the truth. But yeah, I believe Windows actually lets you use a lower port number, so it'd at least have to be #ifdef'ed for that if we wanted to change it. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Min value for port
On 6/27/13 6:34 AM, Magnus Hagander wrote: > Is there a reason why we have set the min allowed value for port to 1, > not 1024? Given that you can't actually start postgres with a value of > <1024, shoulnd't the entry in pg_settings reference that as well? Are you thinking of the restriction that you need to be root to use ports <1024? That restriction is not necessarily universal. We can let the kernel tell us at run time if it doesn't like our port. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
[HACKERS] Min value for port
Is there a reason why we have set the min allowed value for port to 1, not 1024? Given that you can't actually start postgres with a value of <1024, shoulnd't the entry in pg_settings reference that as well? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers