GNU bug report logs - #77413
[PATCH] services: postgresql-service-type: Allow allowing to log into the user.

Previous Next

Package: guix-patches;

Reported by: Tomas Volf <~@wolfsden.cz>

Date: Mon, 31 Mar 2025 19:28:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #23 received at 77413 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Tomas Volf <~@wolfsden.cz>
Cc: 77413 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Subject: Re: [bug#77413] [PATCH] services: postgresql-service-type: Allow
 allowing to log into the user.
Date: Tue, 08 Apr 2025 11:48:28 +0200

Hi,

Tomas Volf <~@wolfsden.cz> skribis:

> Ludovic Courtès <ludo <at> gnu.org> writes:

[...]

>> I’m fine with going that route since it make things more convenient, but
>> I think the manual should warn against using (allow-login? #t) in
>> production.
>
> I am willing to make that concession, however before I send a v2, would
> you be able to give few reasons why you think it is a bad idea?  I
> believe the manual should justify the recommendation, and I am currently
> unsure how.
>
> It is common across other distributions to use real shell as a shell for
> the postgres user (I have checked Archlinux, Debian and Alpine), all of
> them are (to at least some degree) suitable for production systems.  The
> link you have shared for cuirass expects the user can use sudo, so at
> that point sudo -s can be used.  In various productions systems I have
> worked with, the postgres user was allowed to be logged into (possibly
> due to running on Debian/Ubuntu).
>
> So I am having somewhat hard time coming up with a one or two concise
> reasons to put into the manual.

To me the motivation would be to reduce the attack surface by not giving
system accounts a shell nor a password.  That also ensures admins don’t
inadvertently run all sorts of processes other than the service itself
under the privilege separation account.

But then again, I’m not a sysadmin; if you say that this is common
practice in the case of the postgresql privilege separation user, then
it’s probably that people consider it good enough, and perhaps we don’t
need a warning.

Thanks,
Ludo’.
This bug report was last modified 13 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.