From unknown Fri Jun 13 10:15:59 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Mon, 31 Mar 2025 19:28:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 77413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77413@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz>, Ludovic =?UTF-8?Q?Court=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by submit@debbugs.gnu.org id=B.17434492388945 (code B ref -1); Mon, 31 Mar 2025 19:28:02 +0000 Received: (at submit) by debbugs.gnu.org; 31 Mar 2025 19:27:18 +0000 Received: from localhost ([127.0.0.1]:42912 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tzKn0-0002KD-1F for submit@debbugs.gnu.org; Mon, 31 Mar 2025 15:27:18 -0400 Received: from lists.gnu.org ([2001:470:142::17]:54458) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1tzKmx-0002JM-4Z for submit@debbugs.gnu.org; Mon, 31 Mar 2025 15:27:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1tzKmh-0004Bb-0y for guix-patches@gnu.org; Mon, 31 Mar 2025 15:27:02 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1tzKmD-0006on-TT for guix-patches@gnu.org; Mon, 31 Mar 2025 15:26:57 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 4587231EC33; Mon, 31 Mar 2025 19:26:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743449162; bh=BOo3H2wL23to4gN6t95i5RNbgasvt5gM6/l8gD1gSnI=; h=From:To:Cc:Subject:Date; b=RuhiG/TcfH7CfYCXtisytGJiIrXTWzM6Nj/YPWot4Ov+j4sr1CayKfSCgQOF5xd3u +0tOKgCMpcWxRsAmYzYDypJI+KD6tS8anZnU7/NEj+a5TrYXQmdpISUFHbyIjhcwAF pDZjrMLraDqDDxMDOlkERD1anOs/p1A8TpOBGa6tLh+1Eivhbj5fvRD/qjLRCxEjrD tDAZn5PWJH6C/ZhfNsxaXdbsnGVMFliQ0qnfJO8BNYT8FCDCrnnTzbqeePqirRl56z bMzqChBpmN5ZPgEIoOLyCQsR+BhUUgz4oEart6FEMUvZhzfnTMxZAO6N2dOIGma0Nl /qMfsILLCmlVJSnDqiMIIKsI8JG1jbuDPQIKmk2CBi+ZNUWaAQ5C6Am3myPZU+gSia 5qKaMpbXCCa0tmj+9tY3zs2rnS43Bms3Lv+ZgYaGRaT/gNU+bQPf+e26DZIaocK4yR z5y7/m6l0QatPiL13XKlkwnOL1Q5bwXSHUzXKVrrb9yM0SDuZ3IWEtg/YlhgwnmJdK uVfNRU+IuqpcV8z+mjJru8XUQF/KdYrG+VO9VxYGmCp0+SrBjo7wQy0KqL3z6dQPeS Y9M7zxJnooCN39vHkSWr2HCH3nyJooyUHcHyyncMOA63LtxCKxl76hFw4aYAL7O9tJ mvLbFB9pTMVBrZiM6sa5KOzg= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 6834C3789B8; Mon, 31 Mar 2025 19:26:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743449161; bh=BOo3H2wL23to4gN6t95i5RNbgasvt5gM6/l8gD1gSnI=; h=From:To:Cc:Subject:Date; b=PCaM0cTEU/SHfRvlYE4KvUGVuSjU4ADSkZ91oVw+dbFFuYaLI7AFElX5PnuUVG29j BO5OYd0FBPeb3T4qK/ZY0WJilRlsoNgzZ9G143KvU8XII2VILZ0v7L46FpUu37YTzx 4woSmhx8LMmly7I+o/OPrqoJYXm4AXUth5M6F13cCo0rLts+g9/1PVulu1xXZHiKbO RJoKYqwtQjiRM6IfJWju0flPFlFipV6L+G0pCh44s2SvRv2s0mz8u1N4QtO4ZVxRkk +YvhUCGn+/OsEKinVoOjEB713y7VASKqOgzxpYVDqBHrFC4W7Wc1Xp8wcil6wzpdSN ZMijrLp1JBW4mzeURJdzk/fEnq19NBm3vM0AiR2dAxw1KqE4S0C6pWxfjwTjBpXl77 w97X0My5DEHx5Ezft72kpgpYzcGcpSL0Si5nVvYGr8cjzS9doe3gpTDkbZoas8mAGL Q47ESOFDwc/YLM7H0BO21CGMr2wa+om0k7RmGgwj/65QGqLGufC43AMiCIf6wnfL5j 0hvVgmltlhdkoxpV22yJ7CmxqaVkI655yhnL+Znvm4/W/mO5zT/96W7AcRal86GYGs etpODQhipjdJp5aVmhfBdtdn6la9iHrVpKtWZ73f2YOnRWCQurRsll3XnHT9Oh2p59 v0pZIvXV24mM1kg5V9JOZYQQ= From: Tomas Volf <~@wolfsden.cz> Date: Mon, 31 Mar 2025 21:25:55 +0200 Message-ID: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=37.205.8.62; envelope-from=~@wolfsden.cz; helo=wolfsden.cz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) It is often useful to be able to use the `postgres' user for management tasks, so this commit allows setting that. The default behavior is not changed. I have also added missing exports and sorted them by alphabet. * gnu/services/databases.scm (%default-home-directory): New variable. (): Add home-directory, allow-login? fields. (create-postgresql-account): Use them. * doc/guix.texi (Database Services): Document it. Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a --- doc/guix.texi | 17 ++++++++++++----- gnu/services/databases.scm | 31 +++++++++++++++++++++++-------- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index cb4c1b2430..a152a9623e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27523,11 +27523,11 @@ Database Services restart the service. Peer authentication is used by default and the @code{postgres} user -account has no shell, which prevents the direct execution of @code{psql} -commands as this user. To use @code{psql}, you can temporarily log in -as @code{postgres} using a shell, create a PostgreSQL superuser with the -same name as one of the system users and then create the associated -database. +account has no shell (unless @code{allow-login?} is @code{#t}), which +prevents the direct execution of @code{psql} commands as this user. To +use @code{psql}, you can temporarily log in as @code{postgres} using a +shell, create a PostgreSQL superuser with the same name as one of the +system users and then create the associated database. @example sudo -u postgres -s /bin/sh @@ -27606,6 +27606,13 @@ Database Services @item @code{create-account?} (default: @code{#t}) Whether or not the @code{postgres} user and group should be created. +@item @code{allow-login?} (default: @code{#f}) +Whether or not to allow login into the created account. + +@item @code{home-directory} (default: @code{"/var/empty"}) +The home directory of the user. It is strongly advised to change this +if you set @code{allow-login?} to @code{#t}. + @item @code{uid} (default: @code{#f}) Explicitly specify the UID of the @code{postgres} daemon account. You normally do not need to specify this, in which case a free UID will diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm index 6d80376d90..b45aad2c0b 100644 --- a/gnu/services/databases.scm +++ b/gnu/services/databases.scm @@ -51,13 +51,18 @@ (define-module (gnu services databases) postgresql-configuration postgresql-configuration? - postgresql-configuration-postgresql - postgresql-configuration-port - postgresql-configuration-locale - postgresql-configuration-file - postgresql-configuration-log-directory + postgresql-configuration-allow-login? + postgresql-configuration-create-account? postgresql-configuration-data-directory postgresql-configuration-extension-packages + postgresql-configuration-file + postgresql-configuration-gid + postgresql-configuration-home-directory + postgresql-configuration-locale + postgresql-configuration-log-directory + postgresql-configuration-port + postgresql-configuration-postgresql + postgresql-configuration-uid postgresql-service postgresql-service-type @@ -164,6 +169,8 @@ (define-gexp-compiler (postgresql-config-file-compiler port))) #:local-build? #t)))) +(define %default-home-directory "/var/empty") + (define-record-type* postgresql-configuration make-postgresql-configuration postgresql-configuration? @@ -186,6 +193,10 @@ (define-record-type* (default '())) (create-account? postgresql-configuration-create-account? (default #t)) + (home-directory postgresql-configuration-home-directory + (default %default-home-directory)) + (allow-login? postgresql-configuration-allow-login? + (default #f)) (uid postgresql-configuration-uid (default #f)) (gid postgresql-configuration-gid @@ -193,7 +204,7 @@ (define-record-type* (define (create-postgresql-account config) (match-record config - (create-account? uid gid) + (create-account? allow-login? home-directory uid gid) (if (not create-account?) '() (list (user-group (name "postgres") @@ -205,8 +216,12 @@ (define (create-postgresql-account config) (system? #t) (uid uid) (comment "PostgreSQL server user") - (home-directory "/var/empty") - (shell (file-append shadow "/sbin/nologin"))))))) + (create-home-directory? + (not (string=? home-directory %default-home-directory))) + (home-directory home-directory) + (shell (if allow-login? + ((@ (gnu system accounts) default-shell)) + (file-append shadow "/sbin/nologin")))))))) (define (final-postgresql postgresql extension-packages) (if (null? extension-packages) -- 2.49.0 From unknown Fri Jun 13 10:15:59 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Apr 2025 12:29:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tomas Volf <~@wolfsden.cz> Cc: 77413@debbugs.gnu.org, Maxim Cournoyer Received: via spool by 77413-submit@debbugs.gnu.org id=B77413.174351053711329 (code B ref 77413); Tue, 01 Apr 2025 12:29:04 +0000 Received: (at 77413) by debbugs.gnu.org; 1 Apr 2025 12:28:57 +0000 Received: from localhost ([127.0.0.1]:46936 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tzajg-0002we-OW for submit@debbugs.gnu.org; Tue, 01 Apr 2025 08:28:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41350) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tzajc-0002vA-US for 77413@debbugs.gnu.org; Tue, 01 Apr 2025 08:28:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tzajW-0002MW-KF; Tue, 01 Apr 2025 08:28:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=1y1kgTf6P6Pc6bh1hF4zrldW+yCca+/+l4B+bWNdr64=; b=MmMT3R6gMYUx1pHGclFk NU9v4ZIbQ/mGFIWfSdeJjacvT5s6e/7sZsaMGjpO+dYJ84FJku8TirXa79iHSXLyjOpFOeeIGMRoH +xmUCKfWeB7jtaRUn/so4jLviMTqmez/BmyFoKtWLiZd8wXYmQrzr7MAROX9F7G7IcDt/U8thc0dr ZoooD8qCfkas/1oxwUv20ZfZGimqVqLZL7dMP4a/fEdYNSMKPW/7uCWru4x8oIoyAU+KsJYCsVDvl htBKXlUrrx26vZHg+i27sr5M9jJRGqpHzX4L9FqL3O13/kxukk5GTAKqa6FNaNr2WbT2bQ9Qh9Ufs YsZCACOYMOVHXQ==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> (Tomas Volf's message of "Mon, 31 Mar 2025 21:25:55 +0200") References: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Duodi 12 Germinal an 233 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Charme X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 01 Apr 2025 14:28:44 +0200 Message-ID: <87r02ccbgj.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Tomas Volf <~@wolfsden.cz> skribis: > It is often useful to be able to use the `postgres' user for management t= asks, > so this commit allows setting that. The default behavior is not changed. > > I have also added missing exports and sorted them by alphabet. > > * gnu/services/databases.scm (%default-home-directory): New variable. > (): Add home-directory, allow-login? fields. > (create-postgresql-account): Use them. > * doc/guix.texi (Database Services): Document it. > > Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a Hi! I=E2=80=99m rather against this change, because it=E2=80=99s unnecessa= ry. Let me share a protip: sudo su - cuirass -s /bin/sh -c $(type -P psql) (From .) Ludo=E2=80=99. From unknown Fri Jun 13 10:15:59 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Apr 2025 21:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 77413@debbugs.gnu.org, Maxim Cournoyer Received: via spool by 77413-submit@debbugs.gnu.org id=B77413.17435415938465 (code B ref 77413); Tue, 01 Apr 2025 21:07:02 +0000 Received: (at 77413) by debbugs.gnu.org; 1 Apr 2025 21:06:33 +0000 Received: from localhost ([127.0.0.1]:51741 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tzioa-0002CN-HU for submit@debbugs.gnu.org; Tue, 01 Apr 2025 17:06:33 -0400 Received: from wolfsden.cz ([37.205.8.62]:33998) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1tzioW-0002Bi-TA for 77413@debbugs.gnu.org; Tue, 01 Apr 2025 17:06:30 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 8968D37ECC9; Tue, 1 Apr 2025 21:06:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743541586; bh=5l82KeLgqwFtX/ZcVIfUgUgg3F2jDFJY+LW8creUpgc=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=yuS6K3elK3zLLyB8i/hWfMtLebm0TDmgAC7k/1yEN95D5t9h1fbjQkixjeLJ7Wc5U MKX3NaU4r69fpAGRcdz27cxPpUZhNdnm9Ew68qh3w5GubDdnDBTCQnuds1qFoU0PNk feRVOPG6RXuFg0mW6ccqcc1JKtxdqiZw2scur3stbva9yJTvt08sT0DpUmNvLYkW9e lUzi9cwtRc4SBL+GvMCwC00X9NIu0Ij8XwLqn0Abictx2+KuuxDYXdo8dkT1I9ja/c dM/IqahCKUTv2yJOUAOTQLZYEqMDhSF4EaHLfsMfiJIY9MEkbKxs//sSxuj+e288En K7+VigueEbPhYwenqXdcYevRjU2B1yY567BWNiYga0o83Q9uyFf+bdaAQHQyzwERkl knwqjHSa/pVbUQfM3H/ihCT98+11BPckujEHsz1Or5eskqHjReMQLU1mCd02Rep/NG DLHb7nSZIAc/07VVwzMnV/zzVIDfe9O2YGthUKO7TQP4zbXJfNINk4K1hpwlLHtgKj wieSSqEYWdfutJxJYej4U1eT6xPM7zRQzo0BYxBmeHiZIQl+7Lb9HMNSEm0mjRc33J yfSOfwUyufWbBLX64aEZ01DWksLQteIdVmB5D4e44owrPg5xXG+DXZMd1mHZRsoCtM NHGhyuh4cwq4UwQs1NE5sNos= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id AFAEF37E1B9; Tue, 1 Apr 2025 21:06:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743541585; bh=5l82KeLgqwFtX/ZcVIfUgUgg3F2jDFJY+LW8creUpgc=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=LV/qE8vRDgH4tF8900J60hU3EOaFVFSezJiIWSGSoiLhQaLt2zhpBIaiVS6pROzLi lCJ07EpvRhjyjo30QMddgElCM4RxPqiMpcWkX3hHb2dLFrWIloyN3bxrrsB2XI1BBD hqZ2uEkvOkrNhNb4aIMuYayPn1WcxuR2IUsZliA0uojKWbatN1y342MpsF4885QJT+ 0RTqQkBZy7N0L7xmdiGYy1Y9IzYntn4GX4Tu7aI0ZRF6dsKO9rgViJ7A8K7s9WreU7 u3IlOw931/N3/28/cEyEYFzcummSVDH9kF68gcf5htCCIlkIBKQBMo9A8MKjUQcU0d QH44YiIJMCzUs3m9ur0EpdFxsga6Onw2QKF0yb3BAaRV/38jAtQwxL2boeb4ZB6606 dXzVSdN29wKeXK3DFoJdXwOvuNssc6AKXrduT3SaRmx0hfIUBFzyjAVTV67xyXbuaC o4Dl8d6J2VXHOzhfqaKAhKnh77kxbQ/M8ZRPEl+J3bhPHpHJqSSCChOcJwnvfFzoEf NgpAUBRG+H4+SKHCzAUfKTeTcgAmMlgkRApplF4T/4l+yOTIys2kqkLEMiJ+SD252g C/s2FiXxKf94WrRQdwWV8AtZZMua2AGOB+GF5pL93gCKqdp7WaC1WDgi0yI3BW/a3X tnwm/gjVZG7+5mnwTBBsT3rA= From: Tomas Volf <~@wolfsden.cz> In-Reply-To: <87r02ccbgj.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Tue, 01 Apr 2025 14:28:44 +0200") References: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> <87r02ccbgj.fsf@gnu.org> Date: Tue, 01 Apr 2025 23:06:25 +0200 Message-ID: <87frirr3qm.fsf@wolfsden.cz> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ludovic Court=C3=A8s writes: > Tomas Volf <~@wolfsden.cz> skribis: > >> It is often useful to be able to use the `postgres' user for management = tasks, >> so this commit allows setting that. The default behavior is not changed. >> >> I have also added missing exports and sorted them by alphabet. >> >> * gnu/services/databases.scm (%default-home-directory): New variable. >> (): Add home-directory, allow-login? fields. >> (create-postgresql-account): Use them. >> * doc/guix.texi (Database Services): Document it. >> >> Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a > > Hi! I=E2=80=99m rather against this change, because it=E2=80=99s unneces= sary. The default is not changed though, this just gives people more options. Some people (me included) prefer to have postgres account as a fully working user, with working psql history. Unless this opens security issues (Does it? For example Archlinux has /usr/bin/bash for postgres user.), it there a reason not to allow users to make the choice here? Especially since the default behavior is not modified and still adheres to your preference? > Let me share a protip: > > sudo su - cuirass -s /bin/sh -c $(type -P psql) > Thank you for the -s flag, I was not aware of it. That make the initial setup possible, but still annoying. I needed to run `initdb' (with modified $PATH), `pg_upgrade' and `vacuumdb'. I believe that running those after `sudo -iu postgres' is much easier than trying to figure out correct quoting while passing all these things as a string to -c argument of /bin/sh. Additionally the service I am running does *not* have a full permissions to the database, so I need to be able to connect somehow for manual modifications. I *could* just alias `psql' to `sudo -u postgres -s /bin/sh -c 'psql'', but I would still not get working history. Alternatively I could start using the TCP connection and rely on scram-sha-256 instead of peer authentication. Or I could create special dummy account I would sudo into and used that one. But... I already have a perfect account, postgres. So I would like to use it. So to sum up, I now agree all is possible even without this change (TIL!), but convenience (and personal preference) is a different matter. Tomas --=20 There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. From unknown Fri Jun 13 10:15:59 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 03 Apr 2025 07:12:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tomas Volf <~@wolfsden.cz> Cc: 77413@debbugs.gnu.org, Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 77413-submit@debbugs.gnu.org id=B77413.174366430222982 (code B ref 77413); Thu, 03 Apr 2025 07:12:01 +0000 Received: (at 77413) by debbugs.gnu.org; 3 Apr 2025 07:11:42 +0000 Received: from localhost ([127.0.0.1]:60685 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0Ejl-0005yc-PU for submit@debbugs.gnu.org; Thu, 03 Apr 2025 03:11:42 -0400 Received: from mail-pf1-x435.google.com ([2607:f8b0:4864:20::435]:44360) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u0Eji-0005yG-HH for 77413@debbugs.gnu.org; Thu, 03 Apr 2025 03:11:39 -0400 Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-736b350a22cso461206b3a.1 for <77413@debbugs.gnu.org>; Thu, 03 Apr 2025 00:11:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743664292; x=1744269092; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=0c63Y2XVQN5yMiHJGGP2/FuNVcTAxL0pYjA21sBDebE=; b=UQNz7FoSHZAjApVJ0uZRzRbcDqpBppSl+WB67Rb+K1FOfCFMQbs7EhdSrnocRUKoQq 5lnuPu+NrKkcxfwL8NBtbvkm2FrWVKJWvYJ7tOWu3K8NKp6PTNcSZJSNmTo7iY3n31Y6 rMeHCYv5O3OaFDiobCC/Lspgitx8fxHkhFGFFhSa9Zn8Oq1tV6zGI3oUVx+fkJWItBgJ SaNS8WbJzhV/DG5WKSMRNiKKAcRjO50ChRnFFDd5mWuIZy1JXCVgS86IVSKHb7XMQxyR 7GXJu3s+Fr1DKkgvAC2h7+13SIBqJGJswpHjNtq+guEXQPewlDvjZ15XCH/ldRpdrFkN XYbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743664292; x=1744269092; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0c63Y2XVQN5yMiHJGGP2/FuNVcTAxL0pYjA21sBDebE=; b=IcGU4GZB8OrrqDMibTTGNaaqqlG4kcfZnUN77/1clYkXMihyB7A3/4vPQOi9yI/0Vc xoZ4AHqc5IbjdYPxdQKPBzGIK4Hd66h4a/1igqicVb6OuiNJQyXyZGos9Z7/WHUh4QhZ 6bN1GalaxgMsCmzcw+26DnEbqYoTEAS6/6+fz3ty8OzyX8nej1ab4+odUFJzxHL2+CLS cCQlZDc+1jVOtd9AevXBbK3Mtbfx5Jhf/uO+3nt5P3ufEP8IPgfihEcTyePet8M7eDiy 5+FprTL9yPO0bwBNAkIgPXCXKjaN4npdhHAYiKG5kDsQFfwLoKnhPk2imR+JgQUIuige bRQA== X-Gm-Message-State: AOJu0Yxpam/7MZIqowMdBnpEon8Vxw9hN2YZgAL4zi0JfQLajfos9a4k Kr5yB4RaIJVsw1miBJXzBb4Woqw3gXKR4FAU0DL/y5D9dcHj94cF8/YB/A== X-Gm-Gg: ASbGnct+ZCU/4nQr/9Xz+Jx5CPTGm5RxkESHNIhUnF/HtakMSiAg/CJWkFQOqWToySu NRnYeBJlSUvDo4pZ4L9USEsY+EkB2XUuQdEpa9uK+MrUlDRoYfYSxYbWKAbFHQRNQ/qAFa/GCwv hQsJ+WbVhJQ/A9q3P1KSHisqEtooiWiwGhoSCYewqWj+J8eQUx1vMxpgGhYt5wtVsBga8o1wM+3 qi1Q+IouODpAVSnEy76sJt0l181IKSUyshJsFMjv4zI2fAEt9RFfgQxMx54zUH1HBat2LY6ukmc LOTKpPVzmn77vpyjNUFd+xBJtD14pR37bBdBxVl1qZ8= X-Google-Smtp-Source: AGHT+IGVZoS8r7KC0frd6IzZQdOE1MibzvgaTQm0zGaFvD5pZvQ30HEFQYFV3pUO0ti2BIuBBsW4SQ== X-Received: by 2002:a05:6a21:168d:b0:1f5:6e71:e45 with SMTP id adf61e73a8af0-200f8d97747mr2162505637.27.1743664292125; Thu, 03 Apr 2025 00:11:32 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-739da0e7c6dsm757969b3a.174.2025.04.03.00.11.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Apr 2025 00:11:31 -0700 (PDT) From: Maxim Cournoyer In-Reply-To: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> (Tomas Volf's message of "Mon, 31 Mar 2025 21:25:55 +0200") References: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> Date: Thu, 03 Apr 2025 16:11:14 +0900 Message-ID: <87iknl1zzh.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Thomas, Ludovic, Tomas Volf <~@wolfsden.cz> writes: > It is often useful to be able to use the `postgres' user for management tasks, > so this commit allows setting that. The default behavior is not changed. > > I have also added missing exports and sorted them by alphabet. > > * gnu/services/databases.scm (%default-home-directory): New variable. > (): Add home-directory, allow-login? fields. > (create-postgresql-account): Use them. > * doc/guix.texi (Database Services): Document it. > > Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a I've read both of your answers, and I agree that this adds more flexibility without touching the default behavior or security implications, so I think it's reasonable. Ludovic, please let us know what you think after reading Thomas' last reply. Reviewed-by: Maxim Cournoyer -- Thanks, Maxim From unknown Fri Jun 13 10:15:59 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 03 Apr 2025 09:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxim Cournoyer Cc: 77413@debbugs.gnu.org, Tomas Volf <~@wolfsden.cz> Received: via spool by 77413-submit@debbugs.gnu.org id=B77413.17436715323617 (code B ref 77413); Thu, 03 Apr 2025 09:13:02 +0000 Received: (at 77413) by debbugs.gnu.org; 3 Apr 2025 09:12:12 +0000 Received: from localhost ([127.0.0.1]:32822 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0GcN-0000wF-T3 for submit@debbugs.gnu.org; Thu, 03 Apr 2025 05:12:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50410) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u0GcK-0000w2-EM for 77413@debbugs.gnu.org; Thu, 03 Apr 2025 05:12:09 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u0GcE-00057F-H4; Thu, 03 Apr 2025 05:12:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=p2rny9thqDVTM0OtVup18XtyKnDEXvvZSmALPA5I7xw=; b=R3VfNJjEINfEAtMEGTBt Kc1YmVSd+Z/dojgGRWu9uiJsiV+nGbtsqM7kOrs2vTKxJvQBms2JW8CbVw0lH1yoE6SuKL3bZJ5tB FEihKnDzGJdp4ryDK3ZZQkDptoHg4SX7nQNKan0MQNciJGrabNw5hv+00kAj4hJab/kFuf0HgITJz qF66Sy9D8U7+hTzUCoZPw489aQhMERvikEBYAQBf6KZpJYqV0WFYMSKi8Qkq/Vl4QhA5Z218J9XCb ZYc8I2c2L5Cg3APEQMslZ9izAWyFLPls/dt2BeUBRPhBi9ceo7/T7+cM2qGPuIYAyydShDoyA2DoA 6hkH33KZ2FIRWw==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <87iknl1zzh.fsf@gmail.com> (Maxim Cournoyer's message of "Thu, 03 Apr 2025 16:11:14 +0900") References: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> <87iknl1zzh.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Quartidi 14 Germinal an 233 de la =?UTF-8?Q?R=C3=A9volution,?= jour du =?UTF-8?Q?H=C3=AAtre?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 03 Apr 2025 11:11:49 +0200 Message-ID: <871pu98v8q.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Maxim Cournoyer skribis: > Tomas Volf <~@wolfsden.cz> writes: > >> It is often useful to be able to use the `postgres' user for management = tasks, >> so this commit allows setting that. The default behavior is not changed. >> >> I have also added missing exports and sorted them by alphabet. >> >> * gnu/services/databases.scm (%default-home-directory): New variable. >> (): Add home-directory, allow-login? fields. >> (create-postgresql-account): Use them. >> * doc/guix.texi (Database Services): Document it. >> >> Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a > > I've read both of your answers, and I agree that this adds more > flexibility without touching the default behavior or security > implications, so I think it's reasonable. > > Ludovic, please let us know what you think after reading Thomas' last > reply. I=E2=80=99m fine with going that route since it make things more convenient= , but I think the manual should warn against using (allow-login? #t) in production. Ludo=E2=80=99. From unknown Fri Jun 13 10:15:59 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 03 Apr 2025 09:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 77413@debbugs.gnu.org, Maxim Cournoyer Received: via spool by 77413-submit@debbugs.gnu.org id=B77413.17436735559526 (code B ref 77413); Thu, 03 Apr 2025 09:46:01 +0000 Received: (at 77413) by debbugs.gnu.org; 3 Apr 2025 09:45:55 +0000 Received: from localhost ([127.0.0.1]:32882 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0H91-0002Ta-0G for submit@debbugs.gnu.org; Thu, 03 Apr 2025 05:45:55 -0400 Received: from wolfsden.cz ([37.205.8.62]:44546) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1u0H8x-0002TM-UW for 77413@debbugs.gnu.org; Thu, 03 Apr 2025 05:45:53 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 3D7523875A1; Thu, 3 Apr 2025 09:45:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743673550; bh=RcB3IbvHTihF+CnyEQe9Yx32UhG3EiM8aeAvqgkmX0E=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=ayYamEL4/R947BynMy6xIC/IN/jdFMl8s37t1/0uizFD+6VpK+PZrMYLu12Z+nTT/ mZAVFNP286MvUU7A6XA0FMTectA20OvJiZ+AzlZmn1gDNrmAkYHBUDUffMIp/5VnoL Y6hE975zhp7gysO2WxW6AspJipaEkofWMKOn5xCI5nHz1qsy5pz3yeqL0YGP1A1Owz ObC9ZUhlVK64f1V+PA9dV3ZO1QQ19GeFU5m4L7PuNue16hdY3a2hbKusMat/z+Kp97 TK0FwHht08uosyVgSQtnUPOX2KUVyD45bmASCm7ewE4TB3OvLHlJxHyUcAoNLYbqvE l61AwDa0iYy2feGFAGSJj5eRR3QPPgk+PAxXh1S3sLzXEaDrstO/Cam4537kgDmVGF jNgvfGm/dUoOjafIx7OlTnokvdJsOMUQqC4ZZRBQGA5wUGeJ9zhnziSIuCx4zetOmK BssXLUZOeGxE3hDzr9bWHTZU6znTjIDNy4mjlNL2QNHFGbLJpWP663gyqiFP8lLT7z DhJaiWGj8sfLWLBB0+6XlJetd3WlF6ybAA3WcHHYwaI8Y3kcc9oVm7bWXkDi73bmov WcNW+5n2dRciqJIV80XQ4QSLOok5OTkCmGYczlNCma23/ozYsJ6w1WDKKtUvqbKWRy yjWtLyNPzczH08w7k5cVCoNk= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 662323875A0; Thu, 3 Apr 2025 09:45:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743673549; bh=RcB3IbvHTihF+CnyEQe9Yx32UhG3EiM8aeAvqgkmX0E=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=rA1wTYhxrZ0dnKVKT6bSIzk5eGmjTrNnS7COKXl7coPqUHNxiqIgVWRkqv8Pr/8Gb 4jjGybQ448x0IVYnlX4b/KubEIO4EwOPrg+eOblAf6JcxIp3vp6ZwBzPZ49sQupmpx kILzU199DBdJDEBtWKh70DQ6vaWgD68fV5OK4zgxGx17w9khlHiJkFQRBJxFHoJvnh 6VaB4aect8Dz1swVIRhcth4oAsYtLOxtF9rPfBEMHG/yb5Ew+wRbtv+ZCBiZ07SO/t NMVrhLOHNm+zILzGF++2hNLOXqjUHFAuJgKAUR9sNtzMVMEB5gwQD7mJbmkj90jjCP rji3IAw95Bb2E4OZtufUwG4jjSwNs5YvKIc9wGPEPCRxWOVk84KccGjBIbiaQunqtA inNo9HBQHecY8dVRzocNJlIaOVzvWHjPWlZHLRcVRfqC84P93ckZ4JNJ4OobJYki9M NvmheiiYz52GKnm1aZge9dOlvcICI8Y/sutRKFmiyetOysid+cJa9BCzthajqwRyw3 3CSzvt59QyAGOcMmrHCMu7m/VlJWwFXjsKmHe81moJY2zA244PG3htt/Df0k6gmt0y 457GwVBVtOsErqat++nuT0tOaVIRN3HTpz+o8nmlgwMKRCexHKPLKR/C5Fe18gdOHd qS62XKPl4z9WyIBoV107tYak= From: Tomas Volf <~@wolfsden.cz> In-Reply-To: <871pu98v8q.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Thu, 03 Apr 2025 11:11:49 +0200") References: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> <87iknl1zzh.fsf@gmail.com> <871pu98v8q.fsf@gnu.org> Date: Thu, 03 Apr 2025 11:45:49 +0200 Message-ID: <87fripy3w2.fsf@wolfsden.cz> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ludovic Court=C3=A8s writes: > Hi, > > Maxim Cournoyer skribis: > >> Tomas Volf <~@wolfsden.cz> writes: >> >>> It is often useful to be able to use the `postgres' user for management= tasks, >>> so this commit allows setting that. The default behavior is not change= d. >>> >>> I have also added missing exports and sorted them by alphabet. >>> >>> * gnu/services/databases.scm (%default-home-directory): New variable. >>> (): Add home-directory, allow-login? fields. >>> (create-postgresql-account): Use them. >>> * doc/guix.texi (Database Services): Document it. >>> >>> Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a >> >> I've read both of your answers, and I agree that this adds more >> flexibility without touching the default behavior or security >> implications, so I think it's reasonable. >> >> Ludovic, please let us know what you think after reading Thomas' last >> reply. > > I=E2=80=99m fine with going that route since it make things more convenie= nt, but > I think the manual should warn against using (allow-login? #t) in > production. I am willing to make that concession, however before I send a v2, would you be able to give few reasons why you think it is a bad idea? I believe the manual should justify the recommendation, and I am currently unsure how. It is common across other distributions to use real shell as a shell for the postgres user (I have checked Archlinux, Debian and Alpine), all of them are (to at least some degree) suitable for production systems. The link you have shared for cuirass expects the user can use sudo, so at that point sudo -s can be used. In various productions systems I have worked with, the postgres user was allowed to be logged into (possibly due to running on Debian/Ubuntu). So I am having somewhat hard time coming up with a one or two concise reasons to put into the manual. Thanks, Tomas --=20 There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. From unknown Fri Jun 13 10:15:59 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 08 Apr 2025 09:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tomas Volf <~@wolfsden.cz> Cc: 77413@debbugs.gnu.org, Maxim Cournoyer Received: via spool by 77413-submit@debbugs.gnu.org id=B77413.174410572310211 (code B ref 77413); Tue, 08 Apr 2025 09:49:01 +0000 Received: (at 77413) by debbugs.gnu.org; 8 Apr 2025 09:48:43 +0000 Received: from localhost ([127.0.0.1]:59132 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u25ZS-0002ec-KR for submit@debbugs.gnu.org; Tue, 08 Apr 2025 05:48:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53642) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u25ZQ-0002e7-JI for 77413@debbugs.gnu.org; Tue, 08 Apr 2025 05:48:41 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u25ZK-0001on-Jn; Tue, 08 Apr 2025 05:48:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=goPHeVwFCb9y1UU9lTinBAEpjyxl0lGBzrr6AM8c0ho=; b=WKPqK5wlIKmv3T3Cc/+C c5fdfQdnPpujujpDfybCvZMfgP/ZTUrh/fITDYEsO82+OP1KtF47Tr1Y0I03yjtsKBng7gZqinR2E XN1OGNSgJCjECpKIYQv2v35kDDz4UkTc5eb/00cmyI5mgbRqnL7NDkX5L94F8aFE18oo/l089tANU m4vwD24Jj/NOUVr5FzcGMLEQsqru1/G/VpyJ2d+utF0Y/w2trdJ4GffEO+9wgTUth8QBN9zWrI9iy 2XAPcCGvmaVCgHJeH+WhVLP2Wp8HCAG8HEvXRxnGPGL7UM09oa9WT9xzf459Afl2C7v/9e4y9GqcN H0PPr6MK4dAVDg==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <87fripy3w2.fsf@wolfsden.cz> (Tomas Volf's message of "Thu, 03 Apr 2025 11:45:49 +0200") References: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> <87iknl1zzh.fsf@gmail.com> <871pu98v8q.fsf@gnu.org> <87fripy3w2.fsf@wolfsden.cz> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Nonidi 19 Germinal an 233 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Radis X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 08 Apr 2025 11:48:28 +0200 Message-ID: <87v7rf6l1v.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Tomas Volf <~@wolfsden.cz> skribis: > Ludovic Court=C3=A8s writes: [...] >> I=E2=80=99m fine with going that route since it make things more conveni= ent, but >> I think the manual should warn against using (allow-login? #t) in >> production. > > I am willing to make that concession, however before I send a v2, would > you be able to give few reasons why you think it is a bad idea? I > believe the manual should justify the recommendation, and I am currently > unsure how. > > It is common across other distributions to use real shell as a shell for > the postgres user (I have checked Archlinux, Debian and Alpine), all of > them are (to at least some degree) suitable for production systems. The > link you have shared for cuirass expects the user can use sudo, so at > that point sudo -s can be used. In various productions systems I have > worked with, the postgres user was allowed to be logged into (possibly > due to running on Debian/Ubuntu). > > So I am having somewhat hard time coming up with a one or two concise > reasons to put into the manual. To me the motivation would be to reduce the attack surface by not giving system accounts a shell nor a password. That also ensures admins don=E2=80= =99t inadvertently run all sorts of processes other than the service itself under the privilege separation account. But then again, I=E2=80=99m not a sysadmin; if you say that this is common practice in the case of the postgresql privilege separation user, then it=E2=80=99s probably that people consider it good enough, and perhaps we d= on=E2=80=99t need a warning. Thanks, Ludo=E2=80=99. From unknown Fri Jun 13 10:15:59 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Tomas Volf <~@wolfsden.cz> Subject: bug#77413: closed (Re: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user.) Message-ID: References: <875xivp4x6.fsf@gnu.org> <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> X-Gnu-PR-Message: they-closed 77413 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 77413@debbugs.gnu.org Date: Wed, 23 Apr 2025 10:33:13 +0000 Content-Type: multipart/mixed; boundary="----------=_1745404393-8145-1" This is a multi-part message in MIME format... ------------=_1745404393-8145-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #77413: [PATCH] services: postgresql-service-type: Allow allowing to log in= to the user. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 77413@debbugs.gnu.org. --=20 77413: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D77413 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1745404393-8145-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 77413-done) by debbugs.gnu.org; 23 Apr 2025 10:32:30 +0000 Received: from localhost ([127.0.0.1]:54169 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u7XP3-00020L-IR for submit@debbugs.gnu.org; Wed, 23 Apr 2025 06:32:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40466) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u7XOv-0001y4-Bx for 77413-done@debbugs.gnu.org; Wed, 23 Apr 2025 06:32:22 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u7XOp-0005Ws-Am; Wed, 23 Apr 2025 06:32:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=Jnyogk9SUVwKE14SY8PRyiiit9yoxAOtOOy89QdpamA=; b=B4ac4QQWQVt3+I1Ywxt9 qbuYTyASp3rP8IMtYNDAN3lAjqZ9zlO8Xaz939hJN5bZEgtWQbVMLlTHXE7iHFNPr+xmWcI9+6xvE H7xSp5H5O8BuyzIElx5+v0KpaU3PH//sPx9kknRR7XN/LtxpHbXh5+u0c5yFDP0RDKmIRdGscABls iNiOGKftG8ZxbcqG8mi09pDMFM2jOfT6MzLFCbV+Qc+gN5WER+Nil1/fkr0Dcqct8ZW0JArtP3DGl ahmo619bIg9J1AN0g1mYIJFKa1qeozVnkKNPUG1NAWZpLyokjkqIZtDS60S2FrngsEsj/kW84O1x5 HhQNf0Td9Jw5fw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Tomas Volf <~@wolfsden.cz> Subject: Re: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. In-Reply-To: <87v7rf6l1v.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Tue, 08 Apr 2025 11:48:28 +0200") References: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> <87iknl1zzh.fsf@gmail.com> <871pu98v8q.fsf@gnu.org> <87fripy3w2.fsf@wolfsden.cz> <87v7rf6l1v.fsf@gnu.org> Date: Wed, 23 Apr 2025 12:07:17 +0200 Message-ID: <875xivp4x6.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77413-done Cc: 77413-done@debbugs.gnu.org, Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, Ludovic Court=C3=A8s writes: > But then again, I=E2=80=99m not a sysadmin; if you say that this is common > practice in the case of the postgresql privilege separation user, then > it=E2=80=99s probably that people consider it good enough, and perhaps we= don=E2=80=99t > need a warning. Based on this, I went ahead and applied the patch with the change below. Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm index b45aad2c0b..edc3198ad5 100644 --- a/gnu/services/databases.scm +++ b/gnu/services/databases.scm @@ -29,6 +29,7 @@ (define-module (gnu services databases) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system shadow) + #:autoload (gnu system accounts) (default-shell) #:use-module (gnu packages admin) #:use-module (gnu packages base) #:use-module (gnu packages databases) @@ -220,7 +221,7 @@ (define (create-postgresql-account config) (not (string=? home-directory %default-home-directory))) (home-directory home-directory) (shell (if allow-login? - ((@ (gnu system accounts) default-shell)) + (default-shell) (file-append shadow "/sbin/nologin")))))))) (define (final-postgresql postgresql extension-packages) --=-=-=-- ------------=_1745404393-8145-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 31 Mar 2025 19:27:18 +0000 Received: from localhost ([127.0.0.1]:42912 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tzKn0-0002KD-1F for submit@debbugs.gnu.org; Mon, 31 Mar 2025 15:27:18 -0400 Received: from lists.gnu.org ([2001:470:142::17]:54458) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1tzKmx-0002JM-4Z for submit@debbugs.gnu.org; Mon, 31 Mar 2025 15:27:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1tzKmh-0004Bb-0y for guix-patches@gnu.org; Mon, 31 Mar 2025 15:27:02 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1tzKmD-0006on-TT for guix-patches@gnu.org; Mon, 31 Mar 2025 15:26:57 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 4587231EC33; Mon, 31 Mar 2025 19:26:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743449162; bh=BOo3H2wL23to4gN6t95i5RNbgasvt5gM6/l8gD1gSnI=; h=From:To:Cc:Subject:Date; b=RuhiG/TcfH7CfYCXtisytGJiIrXTWzM6Nj/YPWot4Ov+j4sr1CayKfSCgQOF5xd3u +0tOKgCMpcWxRsAmYzYDypJI+KD6tS8anZnU7/NEj+a5TrYXQmdpISUFHbyIjhcwAF pDZjrMLraDqDDxMDOlkERD1anOs/p1A8TpOBGa6tLh+1Eivhbj5fvRD/qjLRCxEjrD tDAZn5PWJH6C/ZhfNsxaXdbsnGVMFliQ0qnfJO8BNYT8FCDCrnnTzbqeePqirRl56z bMzqChBpmN5ZPgEIoOLyCQsR+BhUUgz4oEart6FEMUvZhzfnTMxZAO6N2dOIGma0Nl /qMfsILLCmlVJSnDqiMIIKsI8JG1jbuDPQIKmk2CBi+ZNUWaAQ5C6Am3myPZU+gSia 5qKaMpbXCCa0tmj+9tY3zs2rnS43Bms3Lv+ZgYaGRaT/gNU+bQPf+e26DZIaocK4yR z5y7/m6l0QatPiL13XKlkwnOL1Q5bwXSHUzXKVrrb9yM0SDuZ3IWEtg/YlhgwnmJdK uVfNRU+IuqpcV8z+mjJru8XUQF/KdYrG+VO9VxYGmCp0+SrBjo7wQy0KqL3z6dQPeS Y9M7zxJnooCN39vHkSWr2HCH3nyJooyUHcHyyncMOA63LtxCKxl76hFw4aYAL7O9tJ mvLbFB9pTMVBrZiM6sa5KOzg= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 6834C3789B8; Mon, 31 Mar 2025 19:26:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743449161; bh=BOo3H2wL23to4gN6t95i5RNbgasvt5gM6/l8gD1gSnI=; h=From:To:Cc:Subject:Date; b=PCaM0cTEU/SHfRvlYE4KvUGVuSjU4ADSkZ91oVw+dbFFuYaLI7AFElX5PnuUVG29j BO5OYd0FBPeb3T4qK/ZY0WJilRlsoNgzZ9G143KvU8XII2VILZ0v7L46FpUu37YTzx 4woSmhx8LMmly7I+o/OPrqoJYXm4AXUth5M6F13cCo0rLts+g9/1PVulu1xXZHiKbO RJoKYqwtQjiRM6IfJWju0flPFlFipV6L+G0pCh44s2SvRv2s0mz8u1N4QtO4ZVxRkk +YvhUCGn+/OsEKinVoOjEB713y7VASKqOgzxpYVDqBHrFC4W7Wc1Xp8wcil6wzpdSN ZMijrLp1JBW4mzeURJdzk/fEnq19NBm3vM0AiR2dAxw1KqE4S0C6pWxfjwTjBpXl77 w97X0My5DEHx5Ezft72kpgpYzcGcpSL0Si5nVvYGr8cjzS9doe3gpTDkbZoas8mAGL Q47ESOFDwc/YLM7H0BO21CGMr2wa+om0k7RmGgwj/65QGqLGufC43AMiCIf6wnfL5j 0hvVgmltlhdkoxpV22yJ7CmxqaVkI655yhnL+Znvm4/W/mO5zT/96W7AcRal86GYGs etpODQhipjdJp5aVmhfBdtdn6la9iHrVpKtWZ73f2YOnRWCQurRsll3XnHT9Oh2p59 v0pZIvXV24mM1kg5V9JOZYQQ= From: Tomas Volf <~@wolfsden.cz> To: guix-patches@gnu.org Subject: [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Date: Mon, 31 Mar 2025 21:25:55 +0200 Message-ID: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=37.205.8.62; envelope-from=~@wolfsden.cz; helo=wolfsden.cz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: Tomas Volf <~@wolfsden.cz> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) It is often useful to be able to use the `postgres' user for management tasks, so this commit allows setting that. The default behavior is not changed. I have also added missing exports and sorted them by alphabet. * gnu/services/databases.scm (%default-home-directory): New variable. (): Add home-directory, allow-login? fields. (create-postgresql-account): Use them. * doc/guix.texi (Database Services): Document it. Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a --- doc/guix.texi | 17 ++++++++++++----- gnu/services/databases.scm | 31 +++++++++++++++++++++++-------- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index cb4c1b2430..a152a9623e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27523,11 +27523,11 @@ Database Services restart the service. Peer authentication is used by default and the @code{postgres} user -account has no shell, which prevents the direct execution of @code{psql} -commands as this user. To use @code{psql}, you can temporarily log in -as @code{postgres} using a shell, create a PostgreSQL superuser with the -same name as one of the system users and then create the associated -database. +account has no shell (unless @code{allow-login?} is @code{#t}), which +prevents the direct execution of @code{psql} commands as this user. To +use @code{psql}, you can temporarily log in as @code{postgres} using a +shell, create a PostgreSQL superuser with the same name as one of the +system users and then create the associated database. @example sudo -u postgres -s /bin/sh @@ -27606,6 +27606,13 @@ Database Services @item @code{create-account?} (default: @code{#t}) Whether or not the @code{postgres} user and group should be created. +@item @code{allow-login?} (default: @code{#f}) +Whether or not to allow login into the created account. + +@item @code{home-directory} (default: @code{"/var/empty"}) +The home directory of the user. It is strongly advised to change this +if you set @code{allow-login?} to @code{#t}. + @item @code{uid} (default: @code{#f}) Explicitly specify the UID of the @code{postgres} daemon account. You normally do not need to specify this, in which case a free UID will diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm index 6d80376d90..b45aad2c0b 100644 --- a/gnu/services/databases.scm +++ b/gnu/services/databases.scm @@ -51,13 +51,18 @@ (define-module (gnu services databases) postgresql-configuration postgresql-configuration? - postgresql-configuration-postgresql - postgresql-configuration-port - postgresql-configuration-locale - postgresql-configuration-file - postgresql-configuration-log-directory + postgresql-configuration-allow-login? + postgresql-configuration-create-account? postgresql-configuration-data-directory postgresql-configuration-extension-packages + postgresql-configuration-file + postgresql-configuration-gid + postgresql-configuration-home-directory + postgresql-configuration-locale + postgresql-configuration-log-directory + postgresql-configuration-port + postgresql-configuration-postgresql + postgresql-configuration-uid postgresql-service postgresql-service-type @@ -164,6 +169,8 @@ (define-gexp-compiler (postgresql-config-file-compiler port))) #:local-build? #t)))) +(define %default-home-directory "/var/empty") + (define-record-type* postgresql-configuration make-postgresql-configuration postgresql-configuration? @@ -186,6 +193,10 @@ (define-record-type* (default '())) (create-account? postgresql-configuration-create-account? (default #t)) + (home-directory postgresql-configuration-home-directory + (default %default-home-directory)) + (allow-login? postgresql-configuration-allow-login? + (default #f)) (uid postgresql-configuration-uid (default #f)) (gid postgresql-configuration-gid @@ -193,7 +204,7 @@ (define-record-type* (define (create-postgresql-account config) (match-record config - (create-account? uid gid) + (create-account? allow-login? home-directory uid gid) (if (not create-account?) '() (list (user-group (name "postgres") @@ -205,8 +216,12 @@ (define (create-postgresql-account config) (system? #t) (uid uid) (comment "PostgreSQL server user") - (home-directory "/var/empty") - (shell (file-append shadow "/sbin/nologin"))))))) + (create-home-directory? + (not (string=? home-directory %default-home-directory))) + (home-directory home-directory) + (shell (if allow-login? + ((@ (gnu system accounts) default-shell)) + (file-append shadow "/sbin/nologin")))))))) (define (final-postgresql postgresql extension-packages) (if (null? extension-packages) -- 2.49.0 ------------=_1745404393-8145-1-- From unknown Fri Jun 13 10:15:59 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 02 May 2025 13:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 77413@debbugs.gnu.org Received: via spool by 77413-submit@debbugs.gnu.org id=B77413.174619270711082 (code B ref 77413); Fri, 02 May 2025 13:32:02 +0000 Received: (at 77413) by debbugs.gnu.org; 2 May 2025 13:31:47 +0000 Received: from localhost ([127.0.0.1]:57498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAqUU-0002sf-Hf for submit@debbugs.gnu.org; Fri, 02 May 2025 09:31:47 -0400 Received: from wolfsden.cz ([37.205.8.62]:46950) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1uAqUQ-0002sQ-OH for 77413@debbugs.gnu.org; Fri, 02 May 2025 09:31:44 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 9881139747A; Fri, 2 May 2025 13:31:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1746192700; bh=XcjL0yLREoMj7JzWN8oRxBAChofp7FoEI+vFxP/C6uM=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=auOQaaMQPlb1vPENbTJmwVWZu1yG3xCbMAg7fHvFBzKSC6E3SDcoXFXBzdUwOsbwc eMvHmU7GbA51j3b41/jOedTjR258xde0tbp/CIW5rU7mNALJxzoJ3wIvBXasXw3uLp pPGb+s7Jxb8CpSMS5kJoB9n6YuT+dIqV34tPslIc7WNxzGsbJN6IWHbUqOk2sf8Dev ljadu6PVz3A3rKYopEW/M0zMDzlcRZrLfbL9GK4PJwtZ1KTGVvKWmFhGQPFlqM1VEP WBcFFr2kebNHSo8CiXByQvwFJCFuWn4H4uv/VakkI/eG4eYqRzXznSgHuA68X7yjKB bdeAwZdPC5qZu942XmR2L9ZamRQUaFGQL5WdGkJnX+EK3TwtFZ896WTql5gz+0GyTg Tda9O+7Yz9qg5zhhgBmBr/aPrRhS/A6mg70dANGO9y5vZ+PH/QJJs/Vy2xeqb8XGsZ 7z896k+7yw6nwF2pT3tOp72lGapQx/4YJeQZ06w1e2LGKVsuHf0jqUiT/qE4K6rEE5 PH0n9Xs5AF3oRUyk/kUphyukzNxeogH8pzCJUApNSoxGlYkDUynMNgHlgLRgNcDb5D yS+1S0nicAFNmx4dbGD6YnVwON0i8UUKKoVJVmc7PDFHgZGkmkO2JMRMU/91sKklr2 HPv+5A8kkro6iXQ8Zf54tmaw= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from localhost (78-80-104-109.customers.tmcz.cz [78.80.104.109]) by wolfsden.cz (Postfix) with ESMTPSA id 9C3C839ADA5; Fri, 2 May 2025 13:31:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1746192699; bh=XcjL0yLREoMj7JzWN8oRxBAChofp7FoEI+vFxP/C6uM=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=kRiVvoY0/+vpWVjVYxSqqVIxl7cyROtX8OTry+xfh4/dxRvzFxzBCc7MLdoqoFKas wmY/kk0wPiFeUfys05vQRXNomfmCuFC4Z/XWXjrSxYqp1aC7cDeQVTr1+eSbM7w9G6 0Lr+isUzopzbsx5Dy0GcRtXUf1mTohPHWulVKUYaoPZwCvwPJ7lFXmAO9lVDSWr0De ZskeC2c7M8+QcaANd8h2thmKV9M7u62uge+5LTNd8NhfW8x77xa3VgPQ1P0uLpkVRI FdfWXgb3JooC8iBxICtbNT0BHO6J868Jl51k9RyLvgAbyxZ/WkHcVRCu8WrosrDQvi z2pCivbKBfjSVBETxPibbBPXrIcuriCsk7Flx4W4JDz+n73vLz5MlEHNW9+zIIdG6y i7DMAoqOOwxd/zT2HqYesa3qj8q2N6N6gPzglps4NJ3pbXiy9EswHrmUPqSkUzZ4nX H7CfT9PMFxDxjXyZKICwZ7SHpICHlxL7Yw14tN1aryhs6ZAemJSsLA8G06zRJWwi48 W6DfcawJrui6BhczpQQg0EhtjpUSMB2XI6mILdkzwcnR4svCOrkkRzJrsCQS0x23Jg 99WsS73/hGZY2FCoOgUSRQY5CceVoxkle9cfSckJUT6Qt88qZKN9kYQY4uGmUzoZtd KAHvVr/HmSiuSvRg15GCFiN4= From: Tomas Volf <~@wolfsden.cz> In-Reply-To: <875xivp4x6.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Wed, 23 Apr 2025 12:07:17 +0200") References: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> <87iknl1zzh.fsf@gmail.com> <871pu98v8q.fsf@gnu.org> <87fripy3w2.fsf@wolfsden.cz> <87v7rf6l1v.fsf@gnu.org> <875xivp4x6.fsf@gnu.org> Date: Fri, 02 May 2025 15:31:37 +0200 Message-ID: <87a57v3zra.fsf@wolfsden.cz> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ludovic =?UTF-8?Q?Court=C3=A8s?= writes: > Hello, > > Ludovic =?UTF-8?Q?Court=C3=A8s?= writes: > >> But then again, =?UTF-8?Q?I=E2=80=99m?= not a sysadmin; if you say that this is common >> practice in the case of the postgresql privilege separation user, then [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS [78.80.104.109 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [37.205.8.62 listed in sa-trusted.bondedsender.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [37.205.8.62 listed in bl.score.senderscore.com] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ludovic =?UTF-8?Q?Court=C3=A8s?= writes: > Hello, > > Ludovic =?UTF-8?Q?Court=C3=A8s?= writes: > >> But then again, =?UTF-8?Q?I=E2=80=99m?= not a sysadmin; if you say that this is common >> practice in the case of the postgresql privilege separation user, then [...] Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS [78.80.104.109 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [37.205.8.62 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [37.205.8.62 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Ludovic Court=C3=A8s writes: > Hello, > > Ludovic Court=C3=A8s writes: > >> But then again, I=E2=80=99m not a sysadmin; if you say that this is comm= on >> practice in the case of the postgresql privilege separation user, then >> it=E2=80=99s probably that people consider it good enough, and perhaps w= e don=E2=80=99t >> need a warning. > > Based on this, I went ahead and applied the patch with the change > below. Sorry for not reacting sooner, my availability is somewhat spotty lately (purely one me, I suck at time management and there always is just too much to do). Thank you for applying the change! Have a nice day, Tomas --=20 There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.