Thread: help for:FATAL 1: configuration file `postgresql.conf' has wrong permissions

pgsql-bugs:

  Hello!
  I install postgres 7.1 on solaris 2.6(sparc cpu).And create some db,runing normal.Today,I want to restart the
database,itreport "FATAL 1:  configuration file `postgresql.conf' has wrong permissions",I check and change the
permissionto 775 ,but fail either,can you help.I need your help. 
  Thanks!

Best regard!









                        BonoLin(ÁÖº£µ¤)
                        Email:bonolin@yahoo.com
                        2001-07-19 12:07:34


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

bonolin <bonolin@yahoo.com> writes:
>   I install postgres 7.1 on solaris 2.6(sparc cpu).And create some
>   db,runing normal.Today,I want to restart the database,it report
>   "FATAL 1: configuration file `postgresql.conf' has wrong
>   permissions",I check and change the permission to 775 ,but fail
>   either,can you help.I need your help.  Thanks!

A look at the source code shows it wants 744 or less.

This is probably overly restrictive; in fact, I would argue that there
should be no such check at all.  We do not do runtime checks for
permissions on any other files, and some of them are far more sensitive
than postgresql.conf (password files for example).  Peter, what is the
rationale for having this check?

            regards, tom lane

> bonolin <bonolin@yahoo.com> writes:
> >   I install postgres 7.1 on solaris 2.6(sparc cpu).And create some
> >   db,runing normal.Today,I want to restart the database,it report
> >   "FATAL 1: configuration file `postgresql.conf' has wrong
> >   permissions",I check and change the permission to 775 ,but fail
> >   either,can you help.I need your help.  Thanks!
>
> A look at the source code shows it wants 744 or less.
>
> This is probably overly restrictive; in fact, I would argue that there
> should be no such check at all.  We do not do runtime checks for
> permissions on any other files, and some of them are far more sensitive
> than postgresql.conf (password files for example).  Peter, what is the
> rationale for having this check?

Isn't the file in /data, which is 700.  Why do we care what permissions
we give it?

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

Tom Lane writes:

> A look at the source code shows it wants 744 or less.
>
> This is probably overly restrictive; in fact, I would argue that there
> should be no such check at all.  We do not do runtime checks for
> permissions on any other files, and some of them are far more sensitive
> than postgresql.conf (password files for example).  Peter, what is the
> rationale for having this check?

Security on a module basis perhaps (a.k.a. paranoia)?  I could agree on
moving that check to $PGDATA but I feel it needs to be there.  At least
one user was going to get into trouble here.

--
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter

Peter Eisentraut <peter_e@gmx.net> writes:
> Tom Lane writes:
>> This is probably overly restrictive; in fact, I would argue that there
>> should be no such check at all.  We do not do runtime checks for
>> permissions on any other files, and some of them are far more sensitive
>> than postgresql.conf (password files for example).  Peter, what is the
>> rationale for having this check?

> Security on a module basis perhaps (a.k.a. paranoia)?  I could agree on
> moving that check to $PGDATA but I feel it needs to be there.

Seems to me it makes more sense to check $PGDATA, not one individual
file within the directory.  Ultimately we depend on $PGDATA to have
the right permissions.

We've since seen a second gripe from a user who was confused by this
check, so at the very least, the error message needs to be made more
clear.  (The second guy evidently thought that the code wanted him
to relax the permissions on postgresql.conf, not tighten them.)

            regards, tom lane

Tom Lane writes:

> Seems to me it makes more sense to check $PGDATA, not one individual
> file within the directory.  Ultimately we depend on $PGDATA to have
> the right permissions.

Check moved.

--
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter