GNU bug report logs - #38198
missing shell for postgresql system user

Previous Next

Package: guix;

Reported by: Giovanni Biscuolo <g <at> xelera.eu>

Date: Wed, 13 Nov 2019 17:38:01 UTC

Severity: normal

Done: Giovanni Biscuolo <g <at> xelera.eu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 38198 in the body.
You can then email your comments to 38198 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#38198; Package guix. (Wed, 13 Nov 2019 17:38:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Giovanni Biscuolo <g <at> xelera.eu>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 13 Nov 2019 17:38:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Giovanni Biscuolo <g <at> xelera.eu>
To: bug-guix <at> gnu.org
Subject: missing shell for postgresql system user
Date: Wed, 13 Nov 2019 18:36:52 +0100

[Message part 1 (text/plain, inline)]
Hello Guix!

Current postgresql access rules (pg_hba.conf) defaults to (see
[bug#36191] for details on that patch):

--8<---------------cut here---------------start------------->8---
local	all	all			peer
host	all	all	127.0.0.1/32 	md5
host	all	all	::1/128 	md5
--8<---------------cut here---------------end--------------->8---

Peer authentication works by obtaining the (local) client's operating
system user name from the kernel and using it as the allowed database
user name, and is better than "trust" authentication

To access a database server on localhost for the first time as the user
postgres (the superuser) a person should use:

--8<---------------cut here---------------start------------->8---
sudo su postgres -c 'psql'
--8<---------------cut here---------------end--------------->8---

AFAIK this is the only method available after database initialization,
with peer authentication

Since the postgres user currently have a nologin shell (from
gnu/services/databases.scm):

--8<---------------cut here---------------start------------->8---
(define %postgresql-accounts
  (list (user-group (name "postgres") (system? #t))
        (user-account
         (name "postgres")
         (group "postgres")
         (system? #t)
         (comment "PostgreSQL server user")
         (home-directory "/var/empty")
         (shell (file-append shadow "/sbin/nologin")))))
--8<---------------cut here---------------end--------------->8---

the above command does not work

As a workaround I changed the postgres user shell to <store>/bin/bash
and I was able to connect

I do not see any security issue giving a shell to postgres, since it's
password is disabled in /etc/shadow so the only way to access as
postgres is via `sudo su postgres`

Thougts?

Thanks, Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#38198; Package guix. (Wed, 13 Nov 2019 19:37:02 GMT) Full text and rfc822 format available.

Message #8 received at 38198 <at> debbugs.gnu.org (full text, mbox):

From: Gábor Boskovits <boskovits <at> gmail.com>
To: Giovanni Biscuolo <g <at> xelera.eu>
Cc: 38198 <at> debbugs.gnu.org
Subject: Re: bug#38198: missing shell for postgresql system user
Date: Wed, 13 Nov 2019 20:36:08 +0100

Hello,

Giovanni Biscuolo <g <at> xelera.eu> ezt írta (időpont: 2019. nov. 13., Sze, 18:38):
>
> Hello Guix!
>
> Current postgresql access rules (pg_hba.conf) defaults to (see
> [bug#36191] for details on that patch):
>
> --8<---------------cut here---------------start------------->8---
> local   all     all                     peer
> host    all     all     127.0.0.1/32    md5
> host    all     all     ::1/128         md5
> --8<---------------cut here---------------end--------------->8---
>
> Peer authentication works by obtaining the (local) client's operating
> system user name from the kernel and using it as the allowed database
> user name, and is better than "trust" authentication
>
> To access a database server on localhost for the first time as the user
> postgres (the superuser) a person should use:
>
> --8<---------------cut here---------------start------------->8---
> sudo su postgres -c 'psql'
> --8<---------------cut here---------------end--------------->8---
>
> AFAIK this is the only method available after database initialization,
> with peer authentication
>
> Since the postgres user currently have a nologin shell (from
> gnu/services/databases.scm):
>
> --8<---------------cut here---------------start------------->8---
> (define %postgresql-accounts
>   (list (user-group (name "postgres") (system? #t))
>         (user-account
>          (name "postgres")
>          (group "postgres")
>          (system? #t)
>          (comment "PostgreSQL server user")
>          (home-directory "/var/empty")
>          (shell (file-append shadow "/sbin/nologin")))))
> --8<---------------cut here---------------end--------------->8---
>
> the above command does not work
>
> As a workaround I changed the postgres user shell to <store>/bin/bash
> and I was able to connect
>
> I do not see any security issue giving a shell to postgres, since it's
> password is disabled in /etc/shadow so the only way to access as
> postgres is via `sudo su postgres`

I would not mind this change, I think it is ok. However it is easy to
work around this with su -s.
I usually do that.
>
> Thougts?
>
> Thanks, Gio'
>
> --
> Giovanni Biscuolo
>
> Xelera IT Infrastructures


Best regards,
g_bor
-- 
OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21
Reply sent to Giovanni Biscuolo <g <at> xelera.eu>:
You have taken responsibility. (Thu, 14 Nov 2019 10:03:02 GMT) Full text and rfc822 format available.
Notification sent to Giovanni Biscuolo <g <at> xelera.eu>:
bug acknowledged by developer. (Thu, 14 Nov 2019 10:03:02 GMT) Full text and rfc822 format available.

Message #13 received at 38198-done <at> debbugs.gnu.org (full text, mbox):

From: Giovanni Biscuolo <g <at> xelera.eu>
To: Gábor Boskovits <boskovits <at> gmail.com>
Cc: 38198-done <at> debbugs.gnu.org
Subject: Re: bug#38198: missing shell for postgresql system user
Date: Thu, 14 Nov 2019 11:02:15 +0100

[Message part 1 (text/plain, inline)]
Hello Gábor,

Gábor Boskovits <boskovits <at> gmail.com> writes:

[...]

>> To access a database server on localhost for the first time as the user
>> postgres (the superuser) a person should use:
>>
>> --8<---------------cut here---------------start------------->8---
>> sudo su postgres -c 'psql'
>> --8<---------------cut here---------------end--------------->8---

[...]

> I would not mind this change, I think it is ok. However it is easy to
> work around this with su -s.
> I usually do that.

Oh, that's the real solution: thanks! (I should study more...)

  sudo su postgres -s psql

Since giving a shell to the postgres user is **not** the solution, I'm
closing this bug.

I'll try to send a patch to the relevant documentation in the manual,
since now that we changed "trust" to "peer" a regular user cannot
connect to a newly initialized database using `psql -U postgres` (and is
good for security reasons); the user must be part of the "wheel" group
(or be authorized via sudoers in other ways) to be able to use `sudo su
postgres -s psql`

[...]

Thanks! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 12 Dec 2019 12:24:14 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 136 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.