public inbox for [email protected]
help / color / mirror / Atom feedFrom: Markus Bräunig <[email protected]>
To: Justin Pryzby <[email protected]>
Cc: Devrim Gündüz <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: /var/lib/pgsql 0755
Date: Thu, 27 May 2021 19:17:21 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
Not at all,
we normally just have about 3 users (used) on the servers:
root, postgres and a monitoring user.
We directly login into the postgres user (ssh key | auditing through bastion host if necessary | no password set).
In the past most suid bit binaries were forbidden by policy and on most System this still is the way to go.
Markus
> Am 27.05.2021 um 20:50 schrieb Justin Pryzby <[email protected]>:
>
> On Thu, May 27, 2021 at 06:40:40PM +0000, Markus Bräunig wrote:
>> I thought as long as /v/l/p is the homedir of postgres user we should be carefully with changes like this.
>
> I think you mean that you do things like "sudo -iu postgres" to open an
> interactive shell. Probably because you want to "cd" into the dir and "ls".
>
> I imagine that's common, but is itself strange to me. You can just "ls" the
> dir without sudo without opening an interactive shell, and do anything else,
> too. Which is safer (avoids the risk of then leaving the shell opened or
> running as the wrong user in the wrong window) and avoids starting down the
> path of running around the system putting on different users' "hats".
>
> System users like this are for running their specific daemon, for isolation
> purposes and not for running interactive shells. It shouldn't have a password
> set, either.
>
>> We normally shift the data dir to other places and the log files as well. For the logfiles we use a separate group combined with a sgid bit
>
> --
> Justin
view thread (4+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: /var/lib/pgsql 0755
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox