From unknown Thu Aug 14 18:39:05 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#38198 <38198@debbugs.gnu.org> To: bug#38198 <38198@debbugs.gnu.org> Subject: Status: missing shell for postgresql system user Reply-To: bug#38198 <38198@debbugs.gnu.org> Date: Fri, 15 Aug 2025 01:39:05 +0000 retitle 38198 missing shell for postgresql system user reassign 38198 guix submitter 38198 Giovanni Biscuolo severity 38198 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 13 12:37:02 2019 Received: (at submit) by debbugs.gnu.org; 13 Nov 2019 17:37:02 +0000 Received: from localhost ([127.0.0.1]:60112 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iUwZi-0001um-4s for submit@debbugs.gnu.org; Wed, 13 Nov 2019 12:37:02 -0500 Received: from lists.gnu.org ([209.51.188.17]:46014) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iUwZg-0001uO-Cu for submit@debbugs.gnu.org; Wed, 13 Nov 2019 12:37:00 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:57408) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iUwZf-0005a1-75 for bug-guix@gnu.org; Wed, 13 Nov 2019 12:37:00 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iUwZd-0008Dc-Vw for bug-guix@gnu.org; Wed, 13 Nov 2019 12:36:58 -0500 Received: from ns13.heimat.it ([46.4.214.66]:51740) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iUwZd-0008D9-Lp for bug-guix@gnu.org; Wed, 13 Nov 2019 12:36:57 -0500 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 3E694300682 for ; Wed, 13 Nov 2019 17:36:56 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3J-Vgm3q_WV for ; Wed, 13 Nov 2019 17:36:54 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.161.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 42BAD3000D5 for ; Wed, 13 Nov 2019 17:36:54 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id A13AF300A05 for ; Wed, 13 Nov 2019 18:36:53 +0100 (CET) Received: (nullmailer pid 29931 invoked by uid 1000); Wed, 13 Nov 2019 17:36:53 -0000 From: Giovanni Biscuolo To: bug-guix@gnu.org Subject: missing shell for postgresql system user Organization: Xelera.eu Date: Wed, 13 Nov 2019 18:36:52 +0100 Message-ID: <87k183oeyz.fsf@roquette.mug.biscuolo.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 46.4.214.66 X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello Guix! Current postgresql access rules (pg_hba.conf) defaults to (see [bug#36191] for details on that patch): =2D-8<---------------cut here---------------start------------->8--- local all all peer host all all 127.0.0.1/32 md5 host all all ::1/128 md5 =2D-8<---------------cut here---------------end--------------->8--- Peer authentication works by obtaining the (local) client's operating system user name from the kernel and using it as the allowed database user name, and is better than "trust" authentication To access a database server on localhost for the first time as the user postgres (the superuser) a person should use: =2D-8<---------------cut here---------------start------------->8--- sudo su postgres -c 'psql' =2D-8<---------------cut here---------------end--------------->8--- AFAIK this is the only method available after database initialization, with peer authentication Since the postgres user currently have a nologin shell (from gnu/services/databases.scm): =2D-8<---------------cut here---------------start------------->8--- (define %postgresql-accounts (list (user-group (name "postgres") (system? #t)) (user-account (name "postgres") (group "postgres") (system? #t) (comment "PostgreSQL server user") (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin"))))) =2D-8<---------------cut here---------------end--------------->8--- the above command does not work As a workaround I changed the postgres user shell to /bin/bash and I was able to connect I do not see any security issue giving a shell to postgres, since it's password is disabled in /etc/shadow so the only way to access as postgres is via `sudo su postgres` Thougts? Thanks, Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAl3MPzQACgkQ030Op87M ORJ1cBAAhVHYOkKNa0dxAGfGuj99RRMQpxa7CuOCNgQwGqG4JnjR4AkhD0h4gjjA hRAvoFVPGz+jd7EI4lV0oKsyT88e7snz4irdC2hCdLwPZe91r/vqvF8Ev0Rmzq3j S3VXu/RBbTXuyhGN4Pag8N3ZD90H3giqrUn/FanInOj1ADMRIIXkfu1LEji+z30b e8H/FNeYS8dcnYmeTff0Q2kc9v+O7/UJQtng++COm67EmCMX0JcVZ48+bvVMsuxl vPLkRLXhy8eUdx8EFurU2dWW8VdwaAuOIdcwi7yuDSHPTMSelcZRZ9GqLvWWjYLh IqAw7RaZ8PCwb7tBL+YLF3PouVMi7RhNczaIu4IDwlhEYXDZ7kkyTs1Ik+lbyGlT pC5sVhBBPbdB4bgOSbQxA2SJGzDaInZDcLg4m8zby70S5wva9IwyVeaPmFe31G3+ vDViGQZjPTRqqh85/bERN0RwuBIP7Ir99xphIJk/AR+E1coCJwdbyHt3SPcziyUl GkPOm5rkc3uApNXLq3q9RoEuc76cHPE4v0bSurNcuKvFuJuxPVqBXsHKET1dM1LC w/u/olVsYpUhJWUUerKE00XeqnayuTJ05vYkLs2GvD1+bYLfzNSKLp3La+W6g8S2 sT4qYZQS2jWvIMz75nhX11IDsZuqJaABI48v2lIdz3tFrBM9uqo= =fS9h -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 13 14:36:28 2019 Received: (at 38198) by debbugs.gnu.org; 13 Nov 2019 19:36:28 +0000 Received: from localhost ([127.0.0.1]:60188 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iUyRI-0004hw-4e for submit@debbugs.gnu.org; Wed, 13 Nov 2019 14:36:28 -0500 Received: from mail-ed1-f65.google.com ([209.85.208.65]:34971) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iUyRF-0004hg-Qb for 38198@debbugs.gnu.org; Wed, 13 Nov 2019 14:36:26 -0500 Received: by mail-ed1-f65.google.com with SMTP id r16so2903034edq.2 for <38198@debbugs.gnu.org>; Wed, 13 Nov 2019 11:36:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=TgF3++o4Qn5DfwYufPVOwDIUcVyNFqvydPdmaE5RaAw=; b=iQWsCKec2I+l/hHAH0yJuFIP4ECAMKeVaWqC+Dol0gAFVmUq7jRie2RakXdaymVyWE ec5Zsp4WV2PC83Yv/ST6NfFf8K0Qrm/QoCxyqmjDmFOuGdCbOFxaC41dVeTewef83iy2 oHIGRs6FaOB9eei0UUJ2ZiQ1svSpMPpWykRx7f+7mKCbHO7HqK55fZ1Oa2M6A80FCAOa +TtZjx73PB15PaaKd3laB0JGcmHP9h6QQdXA1erB77JRjhPlms0wPqH/7C0Hg7qNDtWw K7M6PR+tutGpnFdCTvBb6gel7TIxp/b2M7JqyehGan91IWe/QVBXuHlz/WtATCaXwZvB nKIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=TgF3++o4Qn5DfwYufPVOwDIUcVyNFqvydPdmaE5RaAw=; b=WCKwKHKtklxbYtaq07HMa+d2J490tyQ92Kn23XwPtKEtM/Rp5NJQl5JRmY+neX8pdn M8Rslh+XfaTMt9aCqu1xnFE79Viif2OJbR/qBDwcqYUmWj9y86wZ5ooD7qKAJSskFq6e 0rvCp8bSHLQjxpcinXG1pl2fZx4RQKlIhedWhAkIcxdybqzIHip3rcoOxsU+AzJXpJd3 CaSkniiUck6w6DNVy+D4rckk6JtK47Yh6U4Kf2NBe4cmS5kj2N/79FqCqXhZHPA/NPLI KDfCm3/148keiJj5UZ0/fuAAbHfEEhKRMYj4/zZyjydBUBJw7TogSuR8w8e/d0i7SEXt dSsw== X-Gm-Message-State: APjAAAWkwMbclfaPav3wTaxusXQSEpqj4Dx7xBmfKnnA+tmnRy9j8SXK UXGQAA9s/InwVvMKmTCriEWzKmHnHidjoESzzg== X-Google-Smtp-Source: APXvYqzIET2C5wxz0W8ujc9FXdz9hoblcD0HGXxQn8oxpPZajEk2p7PUa9x62cV1FLtQTKQ5zY3cv5JEgKHtG8kpCDI= X-Received: by 2002:a17:906:7e08:: with SMTP id e8mr4616166ejr.199.1573673779805; Wed, 13 Nov 2019 11:36:19 -0800 (PST) MIME-Version: 1.0 References: <87k183oeyz.fsf@roquette.mug.biscuolo.net> In-Reply-To: <87k183oeyz.fsf@roquette.mug.biscuolo.net> From: =?UTF-8?Q?G=C3=A1bor_Boskovits?= Date: Wed, 13 Nov 2019 20:36:08 +0100 Message-ID: Subject: Re: bug#38198: missing shell for postgresql system user To: Giovanni Biscuolo Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 38198 Cc: 38198@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, Giovanni Biscuolo ezt =C3=ADrta (id=C5=91pont: 2019. nov. 13.= , Sze, 18:38): > > Hello Guix! > > Current postgresql access rules (pg_hba.conf) defaults to (see > [bug#36191] for details on that patch): > > --8<---------------cut here---------------start------------->8--- > local all all peer > host all all 127.0.0.1/32 md5 > host all all ::1/128 md5 > --8<---------------cut here---------------end--------------->8--- > > Peer authentication works by obtaining the (local) client's operating > system user name from the kernel and using it as the allowed database > user name, and is better than "trust" authentication > > To access a database server on localhost for the first time as the user > postgres (the superuser) a person should use: > > --8<---------------cut here---------------start------------->8--- > sudo su postgres -c 'psql' > --8<---------------cut here---------------end--------------->8--- > > AFAIK this is the only method available after database initialization, > with peer authentication > > Since the postgres user currently have a nologin shell (from > gnu/services/databases.scm): > > --8<---------------cut here---------------start------------->8--- > (define %postgresql-accounts > (list (user-group (name "postgres") (system? #t)) > (user-account > (name "postgres") > (group "postgres") > (system? #t) > (comment "PostgreSQL server user") > (home-directory "/var/empty") > (shell (file-append shadow "/sbin/nologin"))))) > --8<---------------cut here---------------end--------------->8--- > > the above command does not work > > As a workaround I changed the postgres user shell to /bin/bash > and I was able to connect > > I do not see any security issue giving a shell to postgres, since it's > password is disabled in /etc/shadow so the only way to access as > postgres is via `sudo su postgres` I would not mind this change, I think it is ok. However it is easy to work around this with su -s. I usually do that. > > Thougts? > > Thanks, Gio' > > -- > Giovanni Biscuolo > > Xelera IT Infrastructures Best regards, g_bor --=20 OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21 From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 14 05:02:45 2019 Received: (at 38198-done) by debbugs.gnu.org; 14 Nov 2019 10:02:45 +0000 Received: from localhost ([127.0.0.1]:60978 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iVBxd-0008LD-Kn for submit@debbugs.gnu.org; Thu, 14 Nov 2019 05:02:45 -0500 Received: from ns13.heimat.it ([46.4.214.66]:52968) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iVBxb-0008Kw-9O for 38198-done@debbugs.gnu.org; Thu, 14 Nov 2019 05:02:44 -0500 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 725DA300100; Thu, 14 Nov 2019 10:02:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RKfvUW20cdrk; Thu, 14 Nov 2019 10:02:17 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.161.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 274D33000D5; Thu, 14 Nov 2019 10:02:17 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 4DAD4300A05; Thu, 14 Nov 2019 11:02:16 +0100 (CET) Received: (nullmailer pid 18750 invoked by uid 1000); Thu, 14 Nov 2019 10:02:15 -0000 From: Giovanni Biscuolo To: =?utf-8?Q?G=C3=A1bor?= Boskovits Subject: Re: bug#38198: missing shell for postgresql system user In-Reply-To: Organization: Xelera.eu References: <87k183oeyz.fsf@roquette.mug.biscuolo.net> Date: Thu, 14 Nov 2019 11:02:15 +0100 Message-ID: <878soiojx4.fsf@roquette.mug.biscuolo.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 38198-done Cc: 38198-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello G=C3=A1bor, G=C3=A1bor Boskovits writes: [...] >> To access a database server on localhost for the first time as the user >> postgres (the superuser) a person should use: >> >> --8<---------------cut here---------------start------------->8--- >> sudo su postgres -c 'psql' >> --8<---------------cut here---------------end--------------->8--- [...] > I would not mind this change, I think it is ok. However it is easy to > work around this with su -s. > I usually do that. Oh, that's the real solution: thanks! (I should study more...) sudo su postgres -s psql Since giving a shell to the postgres user is **not** the solution, I'm closing this bug. I'll try to send a patch to the relevant documentation in the manual, since now that we changed "trust" to "peer" a regular user cannot connect to a newly initialized database using `psql -U postgres` (and is good for security reasons); the user must be part of the "wheel" group (or be authorized via sudoers in other ways) to be able to use `sudo su postgres -s psql` [...] Thanks! Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAl3NJicACgkQ030Op87M ORLflg//dH52VvP654R5GcF56eQxmJFEzLguTfPTQRan9dHFPeZqKX8O8CiEyUW7 5miKDRYXJJl5BpZzq+bqnh6HE5ALIl/uXYZeqeMhiYmQPDcv4pT7Odk4bMmLjOIc 4IA9y06tZukdWnORXJ70V2Uf4Bkzlcka4JOTE3VdsZYWyIqdNJedwZL4zaclkGz1 MfDbH2ukRToksGSGDg0M8+9hZka99t8s9Wo+iPOy7Gqt4Ngdd8fYP7fihoZrfLoh H+UAQMz5Je5VPcSVczjTMHDYPJY2beRc6TY6zMWhQAA00cT7B0Rf7+roFCN1t9sI Iu5RJKD4tc2afGV+eLWf6AzRwyw4+LxkJrnUtLMMOEOim933xw0e/Dvt8NCKaPjd nf2OCNHWtLRpb1neWcZPeo5bVu52rUwZt0iU/j2lcHIwcBhn7RUVWZqtNVmNA7gc W1Jq3hqP/9JtdiDitJii/NPe5gUHMQiM/dABskUBpAi8YAkgUXVRJU/DuGZxyCKG R632iLDQBQwRGTb9KUM6IQbl78LNThPYd+IMabpi9hYm8ldOywrezG1dk595Lmwg pVq1p8mKqjIzxBuU8jR+R9a3wpv8AjDvuLBX2cCcwDV/jFvOYPAFERNUvWXTMFiH A2lLKnvHVEyW/wOkljGBtCntzpR991nGar1E5GMA+pibmheaedQ= =ywpI -----END PGP SIGNATURE----- --=-=-=-- From unknown Thu Aug 14 18:39:05 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 12 Dec 2019 12:24:14 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator