> Andrew Dunstan wrote:
>> That seems to me to get as close as reasonably possible to the Unix
>> behaviour. I don't think that always allowing localhost connections on
>> Windows is a big security risk.
Is it a big security risk anywhere? Perhaps there is a case to be made
that on all platforms, "-i" should enable or disable only nonlocal
connections. Without -i we'd only allow binding to loopback ports
(either IP4 or IP6).
Aside from keeping the Windows and Unix behaviors similar, this would be
of some positive benefit for people who use TCP-only clients. They'd
not have to remember to set -i anymore, unless they want remote access.
In response to Andrew's table, here's what I'm visualizing:
* No -i: bind only to loopback addresses (both IP4 and IP6 if available).
* With -i, but not virtual_host: bind to all available addresses.
* With -i and virtual_host: bind to specified address(es) only.
(Note this is orthogonal to pg_hba.conf checks; we are talking about
what socket addresses the postmaster listens on.)
I don't have a strong feeling about the case of virtual_host without -i.
The above says to ignore virtual_host, but maybe we should instead
ignore the lack of -i and do what virtual_host says.
regards, tom lane
