GNU bug report logs - #38198
missing shell for postgresql system user

Previous Next

Package: guix;

Reported by: Giovanni Biscuolo <g <at> xelera.eu>

Date: Wed, 13 Nov 2019 17:38:01 UTC

Severity: normal

Done: Giovanni Biscuolo <g <at> xelera.eu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Giovanni Biscuolo <g <at> xelera.eu>
To: 38198 <at> debbugs.gnu.org
Subject: bug#38198: missing shell for postgresql system user
Date: Wed, 13 Nov 2019 18:36:52 +0100

[Message part 1 (text/plain, inline)]
Hello Guix!

Current postgresql access rules (pg_hba.conf) defaults to (see
[bug#36191] for details on that patch):

--8<---------------cut here---------------start------------->8---
local	all	all			peer
host	all	all	127.0.0.1/32 	md5
host	all	all	::1/128 	md5
--8<---------------cut here---------------end--------------->8---

Peer authentication works by obtaining the (local) client's operating
system user name from the kernel and using it as the allowed database
user name, and is better than "trust" authentication

To access a database server on localhost for the first time as the user
postgres (the superuser) a person should use:

--8<---------------cut here---------------start------------->8---
sudo su postgres -c 'psql'
--8<---------------cut here---------------end--------------->8---

AFAIK this is the only method available after database initialization,
with peer authentication

Since the postgres user currently have a nologin shell (from
gnu/services/databases.scm):

--8<---------------cut here---------------start------------->8---
(define %postgresql-accounts
  (list (user-group (name "postgres") (system? #t))
        (user-account
         (name "postgres")
         (group "postgres")
         (system? #t)
         (comment "PostgreSQL server user")
         (home-directory "/var/empty")
         (shell (file-append shadow "/sbin/nologin")))))
--8<---------------cut here---------------end--------------->8---

the above command does not work

As a workaround I changed the postgres user shell to <store>/bin/bash
and I was able to connect

I do not see any security issue giving a shell to postgres, since it's
password is disabled in /etc/shadow so the only way to access as
postgres is via `sudo su postgres`

Thougts?

Thanks, Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 247 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.