GNU bug report logs - #77413
[PATCH] services: postgresql-service-type: Allow allowing to log into the user.

Previous Next

Full log

Message #11 received at 77413 <at> debbugs.gnu.org (full text, mbox):

From: Tomas Volf <~@wolfsden.cz>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 77413 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Subject: Re: [bug#77413] [PATCH] services: postgresql-service-type: Allow
 allowing to log into the user.
Date: Tue, 01 Apr 2025 23:06:25 +0200

Ludovic Courtès <ludo <at> gnu.org> writes:

> Tomas Volf <~@wolfsden.cz> skribis:
>
>> It is often useful to be able to use the `postgres' user for management tasks,
>> so this commit allows setting that.  The default behavior is not changed.
>>
>> I have also added missing exports and sorted them by alphabet.
>>
>> * gnu/services/databases.scm (%default-home-directory): New variable.
>> (<postgresql-configuration>): Add home-directory, allow-login? fields.
>> (create-postgresql-account): Use them.
>> * doc/guix.texi (Database Services): Document it.
>>
>> Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a
>
> Hi!  I’m rather against this change, because it’s unnecessary.

The default is not changed though, this just gives people more options.
Some people (me included) prefer to have postgres account as a fully
working user, with working psql history.  Unless this opens security
issues (Does it?  For example Archlinux has /usr/bin/bash for postgres
user.), it there a reason not to allow users to make the choice here?
Especially since the default behavior is not modified and still adheres
to your preference?

> Let me share a protip:
>
>   sudo su - cuirass -s /bin/sh -c $(type -P psql)
>

Thank you for the -s flag, I was not aware of it.  That make the initial
setup possible, but still annoying.  I needed to run `initdb' (with
modified $PATH), `pg_upgrade' and `vacuumdb'.  I believe that running
those after `sudo -iu postgres' is much easier than trying to figure out
correct quoting while passing all these things as a string to -c
argument of /bin/sh.

Additionally the service I am running does *not* have a full permissions
to the database, so I need to be able to connect somehow for manual
modifications.  I *could* just alias `psql' to `sudo -u postgres -s
/bin/sh -c 'psql'', but I would still not get working history.
Alternatively I could start using the TCP connection and rely on
scram-sha-256 instead of peer authentication.  Or I could create special
dummy account I would sudo into and used that one.  But... I already
have a perfect account, postgres.  So I would like to use it.

So to sum up, I now agree all is possible even without this change
(TIL!), but convenience (and personal preference) is a different matter.

Tomas

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.