From: | Christopher Browne <cbbrowne(at)gmail(dot)com> |
---|---|
To: | Andres Freund <andres(at)2ndquadrant(dot)com> |
Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Min value for port |
Date: | 2013-06-27 16:00:38 |
Message-ID: | CAFNqd5UR7HVSbJ2mYYc3X0wwbQ+y12=wR3xyMZBJnguhc0px4w@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Jun 27, 2013 at 9:22 AM, Andres Freund <andres(at)2ndquadrant(dot)com>wrote:
> On 2013-06-27 15:11:26 +0200, Magnus Hagander wrote:
> > On Thu, Jun 27, 2013 at 2:16 PM, Peter Eisentraut <peter_e(at)gmx(dot)net>
> wrote:
> > > On 6/27/13 6:34 AM, Magnus Hagander wrote:
> > >> Is there a reason why we have set the min allowed value for port to 1,
> > >> not 1024? Given that you can't actually start postgres with a value of
> > >> <1024, shoulnd't the entry in pg_settings reference that as well?
> > >
> > > Are you thinking of the restriction that you need to be root to use
> > > ports <1024? That restriction is not necessarily universal. We can
> let
> > > the kernel tell us at run time if it doesn't like our port.
> >
> > Yes, that's the restriction I was talking about. It's just a bit
> > annoying that if you look at pg_settings.min_value it doesn't actually
> > tell you the truth. But yeah, I believe Windows actually lets you use
> > a lower port number, so it'd at least have to be #ifdef'ed for that if
> > we wanted to change it.
>
> You can easily change the setting on linux as well. And you can grant
> specific binaries the permission to bind to restricted ports without
> being root.
> I don't think the additional complexity to get a sensible value in there
> is warranted.
>
With that large a set of local policies that can change the "usual
< 1024" policy, yep, I agree that it's not worth trying too hard on this
one.
And supposing something like SE-Linux can grant bindings for a particular
user/binary to access a *specific* port, that represents a model that is
pretty incompatible with the notion of a "minimum value."
On the one hand, the idea of having to add a lot of platform-specific
code (which may further be specific to a framework like SE-Linux)
is not terribly appealing.
Further, if the result is something that doesn't really fit with a
"minimum,"
is it much worth fighting with the platform localities?
Indeed, I begin to question whether indicating a "minimum" is actually
meaningful.
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2013-06-27 16:12:24 | Re: Kudos for Reviewers -- straw poll |
Previous Message | Bruce Momjian | 2013-06-27 15:56:12 | Re: Kudos for Reviewers -- straw poll |