GNU bug report logs -
#38198
missing shell for postgresql system user
Previous Next
Reported by: Giovanni Biscuolo <g <at> xelera.eu>
Date: Wed, 13 Nov 2019 17:38:01 UTC
Severity: normal
Done: Giovanni Biscuolo <g <at> xelera.eu>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#38198: missing shell for postgresql system user
which was filed against the guix package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 38198 <at> debbugs.gnu.org.
--
38198: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=38198
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hello Gábor,
Gábor Boskovits <boskovits <at> gmail.com> writes:
[...]
>> To access a database server on localhost for the first time as the user
>> postgres (the superuser) a person should use:
>>
>> --8<---------------cut here---------------start------------->8---
>> sudo su postgres -c 'psql'
>> --8<---------------cut here---------------end--------------->8---
[...]
> I would not mind this change, I think it is ok. However it is easy to
> work around this with su -s.
> I usually do that.
Oh, that's the real solution: thanks! (I should study more...)
sudo su postgres -s psql
Since giving a shell to the postgres user is **not** the solution, I'm
closing this bug.
I'll try to send a patch to the relevant documentation in the manual,
since now that we changed "trust" to "peer" a regular user cannot
connect to a newly initialized database using `psql -U postgres` (and is
good for security reasons); the user must be part of the "wheel" group
(or be authorized via sudoers in other ways) to be able to use `sudo su
postgres -s psql`
[...]
Thanks! Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
[Message part 6 (text/plain, inline)]
Hello Guix!
Current postgresql access rules (pg_hba.conf) defaults to (see
[bug#36191] for details on that patch):
--8<---------------cut here---------------start------------->8---
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
--8<---------------cut here---------------end--------------->8---
Peer authentication works by obtaining the (local) client's operating
system user name from the kernel and using it as the allowed database
user name, and is better than "trust" authentication
To access a database server on localhost for the first time as the user
postgres (the superuser) a person should use:
--8<---------------cut here---------------start------------->8---
sudo su postgres -c 'psql'
--8<---------------cut here---------------end--------------->8---
AFAIK this is the only method available after database initialization,
with peer authentication
Since the postgres user currently have a nologin shell (from
gnu/services/databases.scm):
--8<---------------cut here---------------start------------->8---
(define %postgresql-accounts
(list (user-group (name "postgres") (system? #t))
(user-account
(name "postgres")
(group "postgres")
(system? #t)
(comment "PostgreSQL server user")
(home-directory "/var/empty")
(shell (file-append shadow "/sbin/nologin")))))
--8<---------------cut here---------------end--------------->8---
the above command does not work
As a workaround I changed the postgres user shell to <store>/bin/bash
and I was able to connect
I do not see any security issue giving a shell to postgres, since it's
password is disabled in /etc/shadow so the only way to access as
postgres is via `sudo su postgres`
Thougts?
Thanks, Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 247 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.