[removing to hackers as it is of general interest]
Tom Lane wrote:
>>Andrew Dunstan wrote:
>>
>>
>>>That seems to me to get as close as reasonably possible to the Unix
>>>behaviour. I don't think that always allowing localhost connections on
>>>Windows is a big security risk.
>>>
>>>
>
>Is it a big security risk anywhere? Perhaps there is a case to be made
>that on all platforms, "-i" should enable or disable only nonlocal
>connections. Without -i we'd only allow binding to loopback ports
>(either IP4 or IP6).
>
>Aside from keeping the Windows and Unix behaviors similar, this would be
>of some positive benefit for people who use TCP-only clients. They'd
>not have to remember to set -i anymore, unless they want remote access.
>
>In response to Andrew's table, here's what I'm visualizing:
>
>* No -i: bind only to loopback addresses (both IP4 and IP6 if available).
>* With -i, but not virtual_host: bind to all available addresses.
>* With -i and virtual_host: bind to specified address(es) only.
>
>(Note this is orthogonal to pg_hba.conf checks; we are talking about
>what socket addresses the postmaster listens on.)
>
>I don't have a strong feeling about the case of virtual_host without -i.
>The above says to ignore virtual_host, but maybe we should instead
>ignore the lack of -i and do what virtual_host says.
>
>
This slipped off my radar. I have just spent a little while thinking
about it. How about this: we replace tcpip_socket and virtual_host with
a new var called listen_addresses, which can have values of "local",
"all", or a list of addresses? The default would be "local" and -i would
correspond to "all".
Yes, I know it's not backwards compatible, but we just went through that
argument with log_line_prefix ;-)
Actually, if we wanted to go the whole hog with virtual hosting we'd
allow per-address port specification, like apache does, but maybe that's
something to be left for another day ;-)
cheers
andrew
