GNU bug report logs -
#77413
[PATCH] services: postgresql-service-type: Allow allowing to log into the user.
Previous Next
Reported by: Tomas Volf <~@wolfsden.cz>
Date: Mon, 31 Mar 2025 19:28:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Wed, 23 Apr 2025 12:07:17 +0200
with message-id <875xivp4x6.fsf <at> gnu.org>
and subject line Re: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user.
has caused the debbugs.gnu.org bug report #77413,
regarding [PATCH] services: postgresql-service-type: Allow allowing to log into the user.
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
77413: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=77413
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
It is often useful to be able to use the `postgres' user for management tasks,
so this commit allows setting that. The default behavior is not changed.
I have also added missing exports and sorted them by alphabet.
* gnu/services/databases.scm (%default-home-directory): New variable.
(<postgresql-configuration>): Add home-directory, allow-login? fields.
(create-postgresql-account): Use them.
* doc/guix.texi (Database Services): Document it.
Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a
---
doc/guix.texi | 17 ++++++++++++-----
gnu/services/databases.scm | 31 +++++++++++++++++++++++--------
2 files changed, 35 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index cb4c1b2430..a152a9623e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27523,11 +27523,11 @@ Database Services
restart the service.
Peer authentication is used by default and the @code{postgres} user
-account has no shell, which prevents the direct execution of @code{psql}
-commands as this user. To use @code{psql}, you can temporarily log in
-as @code{postgres} using a shell, create a PostgreSQL superuser with the
-same name as one of the system users and then create the associated
-database.
+account has no shell (unless @code{allow-login?} is @code{#t}), which
+prevents the direct execution of @code{psql} commands as this user. To
+use @code{psql}, you can temporarily log in as @code{postgres} using a
+shell, create a PostgreSQL superuser with the same name as one of the
+system users and then create the associated database.
@example
sudo -u postgres -s /bin/sh
@@ -27606,6 +27606,13 @@ Database Services
@item @code{create-account?} (default: @code{#t})
Whether or not the @code{postgres} user and group should be created.
+@item @code{allow-login?} (default: @code{#f})
+Whether or not to allow login into the created account.
+
+@item @code{home-directory} (default: @code{"/var/empty"})
+The home directory of the user. It is strongly advised to change this
+if you set @code{allow-login?} to @code{#t}.
+
@item @code{uid} (default: @code{#f})
Explicitly specify the UID of the @code{postgres} daemon account.
You normally do not need to specify this, in which case a free UID will
diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm
index 6d80376d90..b45aad2c0b 100644
--- a/gnu/services/databases.scm
+++ b/gnu/services/databases.scm
@@ -51,13 +51,18 @@ (define-module (gnu services databases)
postgresql-configuration
postgresql-configuration?
- postgresql-configuration-postgresql
- postgresql-configuration-port
- postgresql-configuration-locale
- postgresql-configuration-file
- postgresql-configuration-log-directory
+ postgresql-configuration-allow-login?
+ postgresql-configuration-create-account?
postgresql-configuration-data-directory
postgresql-configuration-extension-packages
+ postgresql-configuration-file
+ postgresql-configuration-gid
+ postgresql-configuration-home-directory
+ postgresql-configuration-locale
+ postgresql-configuration-log-directory
+ postgresql-configuration-port
+ postgresql-configuration-postgresql
+ postgresql-configuration-uid
postgresql-service
postgresql-service-type
@@ -164,6 +169,8 @@ (define-gexp-compiler (postgresql-config-file-compiler
port)))
#:local-build? #t))))
+(define %default-home-directory "/var/empty")
+
(define-record-type* <postgresql-configuration>
postgresql-configuration make-postgresql-configuration
postgresql-configuration?
@@ -186,6 +193,10 @@ (define-record-type* <postgresql-configuration>
(default '()))
(create-account? postgresql-configuration-create-account?
(default #t))
+ (home-directory postgresql-configuration-home-directory
+ (default %default-home-directory))
+ (allow-login? postgresql-configuration-allow-login?
+ (default #f))
(uid postgresql-configuration-uid
(default #f))
(gid postgresql-configuration-gid
@@ -193,7 +204,7 @@ (define-record-type* <postgresql-configuration>
(define (create-postgresql-account config)
(match-record config <postgresql-configuration>
- (create-account? uid gid)
+ (create-account? allow-login? home-directory uid gid)
(if (not create-account?) '()
(list (user-group
(name "postgres")
@@ -205,8 +216,12 @@ (define (create-postgresql-account config)
(system? #t)
(uid uid)
(comment "PostgreSQL server user")
- (home-directory "/var/empty")
- (shell (file-append shadow "/sbin/nologin")))))))
+ (create-home-directory?
+ (not (string=? home-directory %default-home-directory)))
+ (home-directory home-directory)
+ (shell (if allow-login?
+ ((@ (gnu system accounts) default-shell))
+ (file-append shadow "/sbin/nologin"))))))))
(define (final-postgresql postgresql extension-packages)
(if (null? extension-packages)
--
2.49.0
[Message part 3 (message/rfc822, inline)]
[Message part 4 (text/plain, inline)]
Hello,
Ludovic Courtès <ludo <at> gnu.org> writes:
> But then again, I’m not a sysadmin; if you say that this is common
> practice in the case of the postgresql privilege separation user, then
> it’s probably that people consider it good enough, and perhaps we don’t
> need a warning.
Based on this, I went ahead and applied the patch with the change below.
Thanks,
Ludo’.
[Message part 5 (text/x-patch, inline)]
diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm
index b45aad2c0b..edc3198ad5 100644
--- a/gnu/services/databases.scm
+++ b/gnu/services/databases.scm
@@ -29,6 +29,7 @@ (define-module (gnu services databases)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu system shadow)
+ #:autoload (gnu system accounts) (default-shell)
#:use-module (gnu packages admin)
#:use-module (gnu packages base)
#:use-module (gnu packages databases)
@@ -220,7 +221,7 @@ (define (create-postgresql-account config)
(not (string=? home-directory %default-home-directory)))
(home-directory home-directory)
(shell (if allow-login?
- ((@ (gnu system accounts) default-shell))
+ (default-shell)
(file-append shadow "/sbin/nologin"))))))))
(define (final-postgresql postgresql extension-packages)
This bug report was last modified 13 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.