[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#38198: missing shell for postgresql system user
From: |
Giovanni Biscuolo |
Subject: |
bug#38198: missing shell for postgresql system user |
Date: |
Wed, 13 Nov 2019 18:36:52 +0100 |
Hello Guix!
Current postgresql access rules (pg_hba.conf) defaults to (see
[bug#36191] for details on that patch):
--8<---------------cut here---------------start------------->8---
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
--8<---------------cut here---------------end--------------->8---
Peer authentication works by obtaining the (local) client's operating
system user name from the kernel and using it as the allowed database
user name, and is better than "trust" authentication
To access a database server on localhost for the first time as the user
postgres (the superuser) a person should use:
--8<---------------cut here---------------start------------->8---
sudo su postgres -c 'psql'
--8<---------------cut here---------------end--------------->8---
AFAIK this is the only method available after database initialization,
with peer authentication
Since the postgres user currently have a nologin shell (from
gnu/services/databases.scm):
--8<---------------cut here---------------start------------->8---
(define %postgresql-accounts
(list (user-group (name "postgres") (system? #t))
(user-account
(name "postgres")
(group "postgres")
(system? #t)
(comment "PostgreSQL server user")
(home-directory "/var/empty")
(shell (file-append shadow "/sbin/nologin")))))
--8<---------------cut here---------------end--------------->8---
the above command does not work
As a workaround I changed the postgres user shell to <store>/bin/bash
and I was able to connect
I do not see any security issue giving a shell to postgres, since it's
password is disabled in /etc/shadow so the only way to access as
postgres is via `sudo su postgres`
Thougts?
Thanks, Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
signature.asc
Description: PGP signature
- bug#38198: missing shell for postgresql system user,
Giovanni Biscuolo <=