Should a privileged port (sub-1024) be used to deploy Postgresql in production?

by da99   Last Updated August 17, 2018 17:06 PM

I've never found a recommendation to run Postgresql on a privileged port in production. What type of port should be used in production regarding security and best practices?

Tags : postgresql linux


Answers 2


Using a privileged port for Postgres would require the postgres daemon to run with root privileges, which in itself is a security vulnerability. So, no, you should not use a privileged port for Postgres.

mustaccio
mustaccio
August 17, 2018 16:32 PM

Running PostgreSQL under 1024 requires some hacking. It's almost impossible outside of win32. From the backend/main/main.c,

"root" execution of the PostgreSQL server is not permitted. The server must be started under an unprivileged user ID to prevent possible system security compromise. See the documentation for more information on how to properly start the server.

After which the backend calls exit(1). It also doesn't run as a setuid script. From the source,

Also make sure that real and effective uids are the same. Executing as a setuid program from a root shell is a security hole, since on many platforms a nefarious subroutine could setuid back to root if real uid is root. (Since nobody actually uses postgres as a setuid program, trying to actively fix this situation seems more trouble than it's worth; we'll just expend the effort to check for it.)

The only way to even set this up on Linux that I know of is

Evan Carroll
Evan Carroll
August 17, 2018 16:46 PM

Related Questions





Can not drop a database using dropdb in Postgresql?

Updated September 09, 2017 00:06 AM

Postgres 1GB huge page size

Updated February 19, 2018 14:06 PM