From mboxrd@z Thu Jan 1 00:00:00 1970 From: Giovanni Biscuolo Subject: bug#38198: missing shell for postgresql system user Date: Wed, 13 Nov 2019 18:36:52 +0100 Message-ID: <87k183oeyz.fsf@roquette.mug.biscuolo.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:57726) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iUwah-0005j9-8J for bug-guix@gnu.org; Wed, 13 Nov 2019 12:38:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iUwag-0000Eo-7U for bug-guix@gnu.org; Wed, 13 Nov 2019 12:38:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:51291) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iUwag-0000Ei-53 for bug-guix@gnu.org; Wed, 13 Nov 2019 12:38:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iUwag-0001w3-0S for bug-guix@gnu.org; Wed, 13 Nov 2019 12:38:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:470:142:3::10]:57408) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iUwZf-0005a1-75 for bug-guix@gnu.org; Wed, 13 Nov 2019 12:37:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iUwZd-0008Dc-Vw for bug-guix@gnu.org; Wed, 13 Nov 2019 12:36:58 -0500 Received: from ns13.heimat.it ([46.4.214.66]:51740) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iUwZd-0008D9-Lp for bug-guix@gnu.org; Wed, 13 Nov 2019 12:36:57 -0500 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 3E694300682 for ; Wed, 13 Nov 2019 17:36:56 +0000 (UTC) Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3J-Vgm3q_WV for ; Wed, 13 Nov 2019 17:36:54 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.161.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 42BAD3000D5 for ; Wed, 13 Nov 2019 17:36:54 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id A13AF300A05 for ; Wed, 13 Nov 2019 18:36:53 +0100 (CET) List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 38198@debbugs.gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello Guix! Current postgresql access rules (pg_hba.conf) defaults to (see [bug#36191] for details on that patch): =2D-8<---------------cut here---------------start------------->8--- local all all peer host all all 127.0.0.1/32 md5 host all all ::1/128 md5 =2D-8<---------------cut here---------------end--------------->8--- Peer authentication works by obtaining the (local) client's operating system user name from the kernel and using it as the allowed database user name, and is better than "trust" authentication To access a database server on localhost for the first time as the user postgres (the superuser) a person should use: =2D-8<---------------cut here---------------start------------->8--- sudo su postgres -c 'psql' =2D-8<---------------cut here---------------end--------------->8--- AFAIK this is the only method available after database initialization, with peer authentication Since the postgres user currently have a nologin shell (from gnu/services/databases.scm): =2D-8<---------------cut here---------------start------------->8--- (define %postgresql-accounts (list (user-group (name "postgres") (system? #t)) (user-account (name "postgres") (group "postgres") (system? #t) (comment "PostgreSQL server user") (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin"))))) =2D-8<---------------cut here---------------end--------------->8--- the above command does not work As a workaround I changed the postgres user shell to /bin/bash and I was able to connect I do not see any security issue giving a shell to postgres, since it's password is disabled in /etc/shadow so the only way to access as postgres is via `sudo su postgres` Thougts? Thanks, Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAl3MPzQACgkQ030Op87M ORJ1cBAAhVHYOkKNa0dxAGfGuj99RRMQpxa7CuOCNgQwGqG4JnjR4AkhD0h4gjjA hRAvoFVPGz+jd7EI4lV0oKsyT88e7snz4irdC2hCdLwPZe91r/vqvF8Ev0Rmzq3j S3VXu/RBbTXuyhGN4Pag8N3ZD90H3giqrUn/FanInOj1ADMRIIXkfu1LEji+z30b e8H/FNeYS8dcnYmeTff0Q2kc9v+O7/UJQtng++COm67EmCMX0JcVZ48+bvVMsuxl vPLkRLXhy8eUdx8EFurU2dWW8VdwaAuOIdcwi7yuDSHPTMSelcZRZ9GqLvWWjYLh IqAw7RaZ8PCwb7tBL+YLF3PouVMi7RhNczaIu4IDwlhEYXDZ7kkyTs1Ik+lbyGlT pC5sVhBBPbdB4bgOSbQxA2SJGzDaInZDcLg4m8zby70S5wva9IwyVeaPmFe31G3+ vDViGQZjPTRqqh85/bERN0RwuBIP7Ir99xphIJk/AR+E1coCJwdbyHt3SPcziyUl GkPOm5rkc3uApNXLq3q9RoEuc76cHPE4v0bSurNcuKvFuJuxPVqBXsHKET1dM1LC w/u/olVsYpUhJWUUerKE00XeqnayuTJ05vYkLs2GvD1+bYLfzNSKLp3La+W6g8S2 sT4qYZQS2jWvIMz75nhX11IDsZuqJaABI48v2lIdz3tFrBM9uqo= =fS9h -----END PGP SIGNATURE----- --=-=-=--