bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#38198: missing shell for postgresql system user

From: Gábor Boskovits
Subject: bug#38198: missing shell for postgresql system user
Date: Wed, 13 Nov 2019 20:36:08 +0100 
Hello,

Giovanni Biscuolo <address@hidden> ezt írta (időpont: 2019. nov. 13., Sze, 
18:38):
>
> Hello Guix!
>
> Current postgresql access rules (pg_hba.conf) defaults to (see
> [bug#36191] for details on that patch):
>
> --8<---------------cut here---------------start------------->8---
> local   all     all                     peer
> host    all     all     127.0.0.1/32    md5
> host    all     all     ::1/128         md5
> --8<---------------cut here---------------end--------------->8---
>
> Peer authentication works by obtaining the (local) client's operating
> system user name from the kernel and using it as the allowed database
> user name, and is better than "trust" authentication
>
> To access a database server on localhost for the first time as the user
> postgres (the superuser) a person should use:
>
> --8<---------------cut here---------------start------------->8---
> sudo su postgres -c 'psql'
> --8<---------------cut here---------------end--------------->8---
>
> AFAIK this is the only method available after database initialization,
> with peer authentication
>
> Since the postgres user currently have a nologin shell (from
> gnu/services/databases.scm):
>
> --8<---------------cut here---------------start------------->8---
> (define %postgresql-accounts
>   (list (user-group (name "postgres") (system? #t))
>         (user-account
>          (name "postgres")
>          (group "postgres")
>          (system? #t)
>          (comment "PostgreSQL server user")
>          (home-directory "/var/empty")
>          (shell (file-append shadow "/sbin/nologin")))))
> --8<---------------cut here---------------end--------------->8---
>
> the above command does not work
>
> As a workaround I changed the postgres user shell to <store>/bin/bash
> and I was able to connect
>
> I do not see any security issue giving a shell to postgres, since it's
> password is disabled in /etc/shadow so the only way to access as
> postgres is via `sudo su postgres`

I would not mind this change, I think it is ok. However it is easy to
work around this with su -s.
I usually do that.
>
> Thougts?
>
> Thanks, Gio'
>
> --
> Giovanni Biscuolo
>
> Xelera IT Infrastructures


Best regards,
g_bor
-- 
OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21
reply via email to
[Prev in Thread] Current Thread [Next in Thread]