/var/lib/pgsql 0755

public inbox for [email protected]  
help / color / mirror / Atom feed

/var/lib/pgsql 0755
4+ messages / 3 participants
[nested] [flat]

* /var/lib/pgsql 0755
@ 2021-05-27 18:03  Justin Pryzby <[email protected]>
  0 siblings, 2 replies; 4+ messages in thread

From: Justin Pryzby @ 2021-05-27 18:03 UTC (permalink / raw)
  To: Devrim Gündüz <[email protected]>; +Cc: pgsql-pkg-yum

Hi,

Postgres requires that the data dir is restricted:
2021-05-27 13:39:44.002 EDT [23409] FATAL:  data directory "/var/lib/pgsql/pgsql14.jtp" has invalid permissions
2021-05-27 13:39:44.002 EDT [23409] DETAIL:  Permissions should be u=rwx (0700) or u=rwx,g=rx (0750).

But the server package creates /v/l/pgsql as mode 700, and rpm resets the perms
on every installation.

[pryzbyj@database ~]$ rpm -qvl postgresql14-server-14-beta1_3PGDG.rhel7.x86_64 |grep var/lib
drwx------    2 postgrespostgres                    0 May 21 06:18 /var/lib/pgsql
drwx------    2 postgrespostgres                    0 May 21 06:18 /var/lib/pgsql/14
drwx------    2 postgrespostgres                    0 May 21 06:18 /var/lib/pgsql/14/backups
drwx------    2 postgrespostgres                    0 May 21 06:18 /var/lib/pgsql/14/data

That seems unnecessarily restrictive, since I might put something like logs
underneath there, and I'd prefer to be able to look for them, tab complete
them, maybe even look *at* them, depending on log_file_mode, and the
permissions that *I* set on the subdir.  I might just want to "ls"/tab complete
to know which version dir to use.  In my deployment script, I go to the effort
to set it back to 00755 for convenience.

Maybe the mode 700 stuff is leftover from old packages which didn't include a
version ?  Either in the package name or as a subdir.

There's not many base pakages which do this:
rpm -qlav |grep '^drwx.*root *root' |grep -v ^drwxr-xr-x |awk -F/ '!/audit|firewall|tmp|lvm/ && NF<5'

Would you consider setting at least /v/l/p to mode 755?  And maybe the version
subdirs (like 14) too.

-- 
Justin

^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: /var/lib/pgsql 0755
@ 2021-05-27 18:50  Justin Pryzby <[email protected]>
  parent: Justin Pryzby <[email protected]>
  1 sibling, 1 reply; 4+ messages in thread

From: Justin Pryzby @ 2021-05-27 18:50 UTC (permalink / raw)
  To: Markus Bräunig <[email protected]>; +Cc: Devrim Gündüz <[email protected]>; pgsql-pkg-yum

On Thu, May 27, 2021 at 06:40:40PM +0000, Markus Bräunig wrote:
> I thought as long as /v/l/p is the homedir of postgres user we should be carefully with changes like this. 

I think you mean that you do things like "sudo -iu postgres" to open an
interactive shell.  Probably because you want to "cd" into the dir and "ls".

I imagine that's common, but is itself strange to me.  You can just "ls" the
dir without sudo without opening an interactive shell, and do anything else,
too.  Which is safer (avoids the risk of then leaving the shell opened or
running as the wrong user in the wrong window) and avoids starting down the
path of running around the system putting on different users' "hats".

System users like this are for running their specific daemon, for isolation
purposes and not for running interactive shells.  It shouldn't have a password
set, either.

> We normally shift the data dir to other places and the log files as well. For the logfiles we use a separate group combined with a sgid bit 

-- 
Justin

^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: /var/lib/pgsql 0755
@ 2021-05-27 19:17  Markus Bräunig <[email protected]>
  parent: Justin Pryzby <[email protected]>
  0 siblings, 0 replies; 4+ messages in thread

From: Markus Bräunig @ 2021-05-27 19:17 UTC (permalink / raw)
  To: Justin Pryzby <[email protected]>; +Cc: Devrim Gündüz <[email protected]>; pgsql-pkg-yum

Not at all,

we normally just have about 3 users (used) on the servers:
root, postgres and a monitoring user. 

We directly login into the postgres user (ssh key | auditing through bastion host if necessary | no password set). 

In the past most suid bit binaries were forbidden by policy and on most System this still is the way to go. 

Markus

> Am 27.05.2021 um 20:50 schrieb Justin Pryzby <[email protected]>:
> 
> On Thu, May 27, 2021 at 06:40:40PM +0000, Markus Bräunig wrote:
>> I thought as long as /v/l/p is the homedir of postgres user we should be carefully with changes like this. 
> 
> I think you mean that you do things like "sudo -iu postgres" to open an
> interactive shell.  Probably because you want to "cd" into the dir and "ls".
> 
> I imagine that's common, but is itself strange to me.  You can just "ls" the
> dir without sudo without opening an interactive shell, and do anything else,
> too.  Which is safer (avoids the risk of then leaving the shell opened or
> running as the wrong user in the wrong window) and avoids starting down the
> path of running around the system putting on different users' "hats".
> 
> System users like this are for running their specific daemon, for isolation
> purposes and not for running interactive shells.  It shouldn't have a password
> set, either.
> 
>> We normally shift the data dir to other places and the log files as well. For the logfiles we use a separate group combined with a sgid bit 
> 
> -- 
> Justin


^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: /var/lib/pgsql 0755
@ 2021-05-27 20:28  Christoph Berg <[email protected]>
  parent: Justin Pryzby <[email protected]>
  1 sibling, 0 replies; 4+ messages in thread

From: Christoph Berg @ 2021-05-27 20:28 UTC (permalink / raw)
  To: [email protected]

Re: Justin Pryzby
> Would you consider setting at least /v/l/p to mode 755?  And maybe the version
> subdirs (like 14) too.

Fwiw these directories are 755 on Debian.

drwxr-xr-x 15 postgres postgres  4096 27. Mai 22:26 /var/lib/postgresql/
drwxr-xr-x  3 postgres postgres  4096 19. Apr 16:02 /var/lib/postgresql/10/
drwxr-xr-x  3 postgres postgres  4096 18. Aug 2020  /var/lib/postgresql/11/

But I can see the argument that the ~postgres HOME should be treated
with care.

Christoph






^ permalink  raw  reply  [nested|flat] 4+ messages in thread

end of thread, other threads:[~2021-05-27 20:28 UTC | newest]

Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2021-05-27 18:03 /var/lib/pgsql 0755 Justin Pryzby <[email protected]>
2021-05-27 18:50 ` Justin Pryzby <[email protected]>
2021-05-27 19:17   ` Markus Bräunig <[email protected]>
2021-05-27 20:28 ` Christoph Berg <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox