Re: enabling tcpip_socket by default

Marko Karppinen said:
>> Tatsuo Ishii wrote:
>>> Is there any security risk if we enable tcpip_socket by default? We
>>> restrict connection from localhost only by default so I think
>>> enabling tcpip_socket adds no security risk. Please correct me if I
>>> am wrong.
>
> Bruce Momjian wrote:
>> Right, and 7.5 will ship with tcp and localhost enabled.
>
> If the default will be to listen on all interfaces, not just 127.0.0.1,
> then this IS a security risk. And if that's not the plan, what good
> does this change do? Any "real" use of tcp would still require a
> configuration
> change anyway.

This is demonstrably not true.

>
> Listening on public network interfaces by default would multiply by
> orders of magnitude the number of machines vulnerable to potential
> future remote exploits.
>
> I gather that the pre-authentication code paths are pretty well known,
> and that the chances of such an attack are slim. Nevertheless I cannot
> help but note that it is exactly this default setting that caused
> Microsoft SQL Server to lose a big, big chunk of its reputation, and
> gain notoriety as a launchpad for Windows worms.
>

Why are we having a discussion about a change that went in 2 months ago
and was fully debated back then?

Of course we did not enable listening on any all addresses by default.
Maybe you think we are not security conscious?

The change was done because
- Windows does not have Unix sockets, and can only talk via TCP
- Some interfaces (notably JDBC) also require it
- It is probably the number one thing that trips up new pg users.

We listen by default on "localhost" (note, not "127.0.0.1").

Read the dev version of the docs for details.

cheers

andrew