Thread: libpq port number handling
On Thu, Sep 24, 2009 at 07:57:55PM +0100, Sam Mason wrote: > > postgres@sussy:/root> createuser -D -p ricky > > I don't think you want to be passing "-p" here; it's saying to use > "ricky" as the port number, which fails (sounds like a bug if it doesn't > complain about this) giving a port number of zero Hum, why is PG doing an (unchecked) atoi on the user specified port rather than leaving it up to getaddrinfo to resolve the port? It would seem to require changing UNIXSOCK_PATH to accept a string as the "port number", which is probably a bit much of a change. The included doesn't feel very nice, but is probably more acceptable. -- Sam http://samason.me.uk/
Attachment
Sam Mason <sam@samason.me.uk> writes:
> Hum, why is PG doing an (unchecked) atoi on the user specified port
> rather than leaving it up to getaddrinfo to resolve the port? It would
> seem to require changing UNIXSOCK_PATH to accept a string as the "port
> number", which is probably a bit much of a change.
> The included doesn't feel very nice, but is probably more acceptable.
I had been thinking about applying strstr to insist that the string
contain only digits (and maybe spaces), but the range check you suggest
is probably more useful. Anyone have objections? (BTW, are port
numbers still limited to 16 bits in IPv6? If not then this won't do.)
regards, tom lane
On Thu, Sep 24, 2009 at 8:36 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > BTW, are port numbers still limited to 16 bits in IPv6? Yes. ...Robert
Sam Mason <sam@samason.me.uk> writes:
> + if (portnum < 1 || portnum > 65535)
BTW, it strikes me that we could tighten this even more by rejecting
target ports below 1024. This is guaranteed safe on all Unix systems
I know of, because privileged ports can only be listened to by root-owned
processes and we know the postmaster won't be one. I am not sure
whether it would be possible to start the postmaster on a low-numbered
port on Windows though. Anyone know? Even if it's possible, do we
want to allow it?
regards, tom lane
Tom Lane wrote:
> Sam Mason <sam@samason.me.uk> writes:
>> + if (portnum < 1 || portnum > 65535)
>
> BTW, it strikes me that we could tighten this even more by rejecting
> target ports below 1024. This is guaranteed safe on all Unix systems
> I know of, because privileged ports can only be listened to by root-owned
> processes and we know the postmaster won't be one.
This is just an aside.
The recent Linux system allows to assign a part of root privileges (called
as capabilities) on a certain process.
Example)
# setcap cap_net_bind_service=ep /usr/local/pgsql/bin/postgres
<-- it allows anyone to launch postmaster with cap_net_bind_service capability.
$ pg_ctl -o "-i -p 100" start
$ psql postgres -p 100
psql (8.5devel)
Type "help" for help.
postgres=#
> Even if it's possible, do we want to allow it?
I cannot find any merits.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
On Thu, 24 Sep 2009, Tom Lane wrote: > Sam Mason <sam@samason.me.uk> writes: >> + if (portnum < 1 || portnum > 65535) > > BTW, it strikes me that we could tighten this even more by rejecting > target ports below 1024. Restricting the target port seems like a bad idea. What about a firewall (or ssh tunnel) that did port forwarding. What PG binds to and what a client connects to may not be the same thing. Kris Jurka
On Thu, Sep 24, 2009 at 8:59 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Sam Mason <sam@samason.me.uk> writes: >> + if (portnum < 1 || portnum > 65535) > > BTW, it strikes me that we could tighten this even more by rejecting > target ports below 1024. This is guaranteed safe on all Unix systems > I know of, because privileged ports can only be listened to by root-owned > processes and we know the postmaster won't be one. I am not sure > whether it would be possible to start the postmaster on a low-numbered > port on Windows though. Anyone know? Even if it's possible, do we > want to allow it? I don't think we get much benefit out of artificially limiting libpq in this way. In 99.99% of cases it won't matter, and in the other 0.01% it will be a needless annoyance. I think we should restrict ourselves to checking what is legal, not what we think is a good idea. ...Robert
On 25 sep 2009, at 02.59, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Sam Mason <sam@samason.me.uk> writes: >> + if (portnum < 1 || portnum > 65535) > > BTW, it strikes me that we could tighten this even more by rejecting > target ports below 1024. This is guaranteed safe on all Unix systems > I know of, because privileged ports can only be listened to by root- > owned > processes and we know the postmaster won't be one. I am not sure > whether it would be possible to start the postmaster on a low-numbered > port on Windows though. Anyone know? Even if it's possible, do we > want to allow it? Windows doesn't care. A non privileged process can open any port, both above and below 1024. Other than that, I agree with previous comments - restricting this in libpq won't actually help anything, but in a few limited cases it will be very annoying. /Magnus >
On Thu, 2009-09-24 at 20:36 -0400, Tom Lane wrote: > BTW, are port numbers still limited to 16 bits in IPv6? Port numbers are in TCP, not in IP.
On Fri, Sep 25, 2009 at 09:29:24AM +0300, Peter Eisentraut wrote: > On Thu, 2009-09-24 at 20:36 -0400, Tom Lane wrote: > > BTW, are port numbers still limited to 16 bits in IPv6? > > Port numbers are in TCP, not in IP. I'd checked that it should work with IPv6, but I hadn't realized that it was because ports were at a different level of abstraction. This mailing list is good for otherwise obscure details like that! -- Sam http://samason.me.uk/
Sam Mason <sam@samason.me.uk> writes:
> Hum, why is PG doing an (unchecked) atoi on the user specified port
> rather than leaving it up to getaddrinfo to resolve the port? It would
> seem to require changing UNIXSOCK_PATH to accept a string as the "port
> number", which is probably a bit much of a change.
> The included doesn't feel very nice, but is probably more acceptable.
Applied, thanks.
regards, tom lane