From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?G=C3=A1bor?= Boskovits Subject: bug#38198: missing shell for postgresql system user Date: Wed, 13 Nov 2019 20:36:08 +0100 Message-ID: References: <87k183oeyz.fsf@roquette.mug.biscuolo.net> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:33043) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iUyRs-0006Lm-1e for bug-guix@gnu.org; Wed, 13 Nov 2019 14:37:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iUyRq-0002JB-UY for bug-guix@gnu.org; Wed, 13 Nov 2019 14:37:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:51367) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iUyRq-0002Iz-NN for bug-guix@gnu.org; Wed, 13 Nov 2019 14:37:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iUyRq-0004im-Hq for bug-guix@gnu.org; Wed, 13 Nov 2019 14:37:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87k183oeyz.fsf@roquette.mug.biscuolo.net> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Giovanni Biscuolo Cc: 38198@debbugs.gnu.org Hello, Giovanni Biscuolo ezt =C3=ADrta (id=C5=91pont: 2019. nov. 13.= , Sze, 18:38): > > Hello Guix! > > Current postgresql access rules (pg_hba.conf) defaults to (see > [bug#36191] for details on that patch): > > --8<---------------cut here---------------start------------->8--- > local all all peer > host all all 127.0.0.1/32 md5 > host all all ::1/128 md5 > --8<---------------cut here---------------end--------------->8--- > > Peer authentication works by obtaining the (local) client's operating > system user name from the kernel and using it as the allowed database > user name, and is better than "trust" authentication > > To access a database server on localhost for the first time as the user > postgres (the superuser) a person should use: > > --8<---------------cut here---------------start------------->8--- > sudo su postgres -c 'psql' > --8<---------------cut here---------------end--------------->8--- > > AFAIK this is the only method available after database initialization, > with peer authentication > > Since the postgres user currently have a nologin shell (from > gnu/services/databases.scm): > > --8<---------------cut here---------------start------------->8--- > (define %postgresql-accounts > (list (user-group (name "postgres") (system? #t)) > (user-account > (name "postgres") > (group "postgres") > (system? #t) > (comment "PostgreSQL server user") > (home-directory "/var/empty") > (shell (file-append shadow "/sbin/nologin"))))) > --8<---------------cut here---------------end--------------->8--- > > the above command does not work > > As a workaround I changed the postgres user shell to /bin/bash > and I was able to connect > > I do not see any security issue giving a shell to postgres, since it's > password is disabled in /etc/shadow so the only way to access as > postgres is via `sudo su postgres` I would not mind this change, I think it is ok. However it is easy to work around this with su -s. I usually do that. > > Thougts? > > Thanks, Gio' > > -- > Giovanni Biscuolo > > Xelera IT Infrastructures Best regards, g_bor --=20 OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21