* bug#38198: missing shell for postgresql system user
@ 2019-11-13 17:36 Giovanni Biscuolo
2019-11-13 19:36 ` Gábor Boskovits
0 siblings, 1 reply; 3+ messages in thread
From: Giovanni Biscuolo @ 2019-11-13 17:36 UTC (permalink / raw)
To: 38198
[-- Attachment #1: Type: text/plain, Size: 1874 bytes --]
Hello Guix!
Current postgresql access rules (pg_hba.conf) defaults to (see
[bug#36191] for details on that patch):
--8<---------------cut here---------------start------------->8---
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
--8<---------------cut here---------------end--------------->8---
Peer authentication works by obtaining the (local) client's operating
system user name from the kernel and using it as the allowed database
user name, and is better than "trust" authentication
To access a database server on localhost for the first time as the user
postgres (the superuser) a person should use:
--8<---------------cut here---------------start------------->8---
sudo su postgres -c 'psql'
--8<---------------cut here---------------end--------------->8---
AFAIK this is the only method available after database initialization,
with peer authentication
Since the postgres user currently have a nologin shell (from
gnu/services/databases.scm):
--8<---------------cut here---------------start------------->8---
(define %postgresql-accounts
(list (user-group (name "postgres") (system? #t))
(user-account
(name "postgres")
(group "postgres")
(system? #t)
(comment "PostgreSQL server user")
(home-directory "/var/empty")
(shell (file-append shadow "/sbin/nologin")))))
--8<---------------cut here---------------end--------------->8---
the above command does not work
As a workaround I changed the postgres user shell to <store>/bin/bash
and I was able to connect
I do not see any security issue giving a shell to postgres, since it's
password is disabled in /etc/shadow so the only way to access as
postgres is via `sudo su postgres`
Thougts?
Thanks, Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#38198: missing shell for postgresql system user
2019-11-13 17:36 bug#38198: missing shell for postgresql system user Giovanni Biscuolo
@ 2019-11-13 19:36 ` Gábor Boskovits
2019-11-14 10:02 ` Giovanni Biscuolo
0 siblings, 1 reply; 3+ messages in thread
From: Gábor Boskovits @ 2019-11-13 19:36 UTC (permalink / raw)
To: Giovanni Biscuolo; +Cc: 38198
Hello,
Giovanni Biscuolo <g@xelera.eu> ezt írta (időpont: 2019. nov. 13., Sze, 18:38):
>
> Hello Guix!
>
> Current postgresql access rules (pg_hba.conf) defaults to (see
> [bug#36191] for details on that patch):
>
> --8<---------------cut here---------------start------------->8---
> local all all peer
> host all all 127.0.0.1/32 md5
> host all all ::1/128 md5
> --8<---------------cut here---------------end--------------->8---
>
> Peer authentication works by obtaining the (local) client's operating
> system user name from the kernel and using it as the allowed database
> user name, and is better than "trust" authentication
>
> To access a database server on localhost for the first time as the user
> postgres (the superuser) a person should use:
>
> --8<---------------cut here---------------start------------->8---
> sudo su postgres -c 'psql'
> --8<---------------cut here---------------end--------------->8---
>
> AFAIK this is the only method available after database initialization,
> with peer authentication
>
> Since the postgres user currently have a nologin shell (from
> gnu/services/databases.scm):
>
> --8<---------------cut here---------------start------------->8---
> (define %postgresql-accounts
> (list (user-group (name "postgres") (system? #t))
> (user-account
> (name "postgres")
> (group "postgres")
> (system? #t)
> (comment "PostgreSQL server user")
> (home-directory "/var/empty")
> (shell (file-append shadow "/sbin/nologin")))))
> --8<---------------cut here---------------end--------------->8---
>
> the above command does not work
>
> As a workaround I changed the postgres user shell to <store>/bin/bash
> and I was able to connect
>
> I do not see any security issue giving a shell to postgres, since it's
> password is disabled in /etc/shadow so the only way to access as
> postgres is via `sudo su postgres`
I would not mind this change, I think it is ok. However it is easy to
work around this with su -s.
I usually do that.
>
> Thougts?
>
> Thanks, Gio'
>
> --
> Giovanni Biscuolo
>
> Xelera IT Infrastructures
Best regards,
g_bor
--
OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#38198: missing shell for postgresql system user
2019-11-13 19:36 ` Gábor Boskovits
@ 2019-11-14 10:02 ` Giovanni Biscuolo
0 siblings, 0 replies; 3+ messages in thread
From: Giovanni Biscuolo @ 2019-11-14 10:02 UTC (permalink / raw)
To: Gábor Boskovits; +Cc: 38198-done
[-- Attachment #1: Type: text/plain, Size: 1162 bytes --]
Hello Gábor,
Gábor Boskovits <boskovits@gmail.com> writes:
[...]
>> To access a database server on localhost for the first time as the user
>> postgres (the superuser) a person should use:
>>
>> --8<---------------cut here---------------start------------->8---
>> sudo su postgres -c 'psql'
>> --8<---------------cut here---------------end--------------->8---
[...]
> I would not mind this change, I think it is ok. However it is easy to
> work around this with su -s.
> I usually do that.
Oh, that's the real solution: thanks! (I should study more...)
sudo su postgres -s psql
Since giving a shell to the postgres user is **not** the solution, I'm
closing this bug.
I'll try to send a patch to the relevant documentation in the manual,
since now that we changed "trust" to "peer" a regular user cannot
connect to a newly initialized database using `psql -U postgres` (and is
good for security reasons); the user must be part of the "wheel" group
(or be authorized via sudoers in other ways) to be able to use `sudo su
postgres -s psql`
[...]
Thanks! Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-14 10:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-13 17:36 bug#38198: missing shell for postgresql system user Giovanni Biscuolo
2019-11-13 19:36 ` Gábor Boskovits
2019-11-14 10:02 ` Giovanni Biscuolo
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).