Обсуждение: Min value for port
Is there a reason why we have set the min allowed value for port to 1, not 1024? Given that you can't actually start postgres with a value of <1024, shoulnd't the entry in pg_settings reference that as well? --Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
On 6/27/13 6:34 AM, Magnus Hagander wrote: > Is there a reason why we have set the min allowed value for port to 1, > not 1024? Given that you can't actually start postgres with a value of > <1024, shoulnd't the entry in pg_settings reference that as well? Are you thinking of the restriction that you need to be root to use ports <1024? That restriction is not necessarily universal. We can let the kernel tell us at run time if it doesn't like our port.
On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut <peter_e@gmx.net> wrote: > On 6/27/13 6:34 AM, Magnus Hagander wrote: >> Is there a reason why we have set the min allowed value for port to 1, >> not 1024? Given that you can't actually start postgres with a value of >> <1024, shoulnd't the entry in pg_settings reference that as well? > > Are you thinking of the restriction that you need to be root to use > ports <1024? That restriction is not necessarily universal. We can let > the kernel tell us at run time if it doesn't like our port. Yes, that's the restriction I was talking about. It's just a bit annoying that if you look at pg_settings.min_value it doesn't actually tell you the truth. But yeah, I believe Windows actually lets you use a lower port number, so it'd at least have to be #ifdef'ed for that if we wanted to change it. --Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
On 27/06/13 15:11, Magnus Hagander wrote: > On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut <peter_e@gmx.net> wrote: >> On 6/27/13 6:34 AM, Magnus Hagander wrote: >>> Is there a reason why we have set the min allowed value for port to 1, >>> not 1024? Given that you can't actually start postgres with a value of >>> <1024, shoulnd't the entry in pg_settings reference that as well? >> >> Are you thinking of the restriction that you need to be root to use >> ports <1024? That restriction is not necessarily universal. We can let >> the kernel tell us at run time if it doesn't like our port. > > Yes, that's the restriction I was talking about. It's just a bit > annoying that if you look at pg_settings.min_value it doesn't actually > tell you the truth. But yeah, I believe Windows actually lets you use > a lower port number, so it'd at least have to be #ifdef'ed for that if > we wanted to change it. There's also authbind and CAP_NET_BIND_SERVICE. Jan
On 2013-06-27 15:11:26 +0200, Magnus Hagander wrote: > On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut <peter_e@gmx.net> wrote: > > On 6/27/13 6:34 AM, Magnus Hagander wrote: > >> Is there a reason why we have set the min allowed value for port to 1, > >> not 1024? Given that you can't actually start postgres with a value of > >> <1024, shoulnd't the entry in pg_settings reference that as well? > > > > Are you thinking of the restriction that you need to be root to use > > ports <1024? That restriction is not necessarily universal. We can let > > the kernel tell us at run time if it doesn't like our port. > > Yes, that's the restriction I was talking about. It's just a bit > annoying that if you look at pg_settings.min_value it doesn't actually > tell you the truth. But yeah, I believe Windows actually lets you use > a lower port number, so it'd at least have to be #ifdef'ed for that if > we wanted to change it. You can easily change the setting on linux as well. And you can grant specific binaries the permission to bind to restricted ports without being root. I don't think the additional complexity to get a sensible value in there is warranted. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
On Thu, Jun 27, 2013 at 9:22 AM, Andres Freund <andres@2ndquadrant.com> wrote:
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
On 2013-06-27 15:11:26 +0200, Magnus Hagander wrote:You can easily change the setting on linux as well. And you can grant
> On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut <peter_e@gmx.net> wrote:
> > On 6/27/13 6:34 AM, Magnus Hagander wrote:
> >> Is there a reason why we have set the min allowed value for port to 1,
> >> not 1024? Given that you can't actually start postgres with a value of
> >> <1024, shoulnd't the entry in pg_settings reference that as well?
> >
> > Are you thinking of the restriction that you need to be root to use
> > ports <1024? That restriction is not necessarily universal. We can let
> > the kernel tell us at run time if it doesn't like our port.
>
> Yes, that's the restriction I was talking about. It's just a bit
> annoying that if you look at pg_settings.min_value it doesn't actually
> tell you the truth. But yeah, I believe Windows actually lets you use
> a lower port number, so it'd at least have to be #ifdef'ed for that if
> we wanted to change it.
specific binaries the permission to bind to restricted ports without
being root.
I don't think the additional complexity to get a sensible value in there
is warranted.
With that large a set of local policies that can change the "usual
< 1024" policy, yep, I agree that it's not worth trying too hard on this one.
And supposing something like SE-Linux can grant bindings for a particular
user/binary to access a *specific* port, that represents a model that is
pretty incompatible with the notion of a "minimum value."
On the one hand, the idea of having to add a lot of platform-specific
code (which may further be specific to a framework like SE-Linux)
is not terribly appealing.
Further, if the result is something that doesn't really fit with a "minimum,"
is it much worth fighting with the platform localities?
Indeed, I begin to question whether indicating a "minimum" is actually
meaningful.
meaningful.
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"