Thread: required rights for PGDATA
Hi there,
I have the problem that I need to have a group of users (namely postgres and
the dbadmin) with access to pg_hba.conf.
As postgres (the user under with the process is actually running) cannot
obtain a shell, I need group access to the data directory in order to
configure postgres.
drwxrwx--- 6 postgres postgres 4096 Jan 27 10:14 data/
However postgres refuses to start with 0770 permission.
In my case this additional security measure bites itself as now I need to
grant su to dbadmin and moreover grant a shell access to postgres.
Some Suggestions:
1.) the check can be made configurable (with the strict one as default)
2.) groups below 100 are okay.
3.) default group of the postgres user is okay.
4.) the group 'postgres' is okay.
That do you all think?
With kind regards / mit freundlichem Gruß
Holger Klawitter
--
Holger Klawitter http://www.klawitter.de
lists@klawitter.de
On Mon, 27 Jan 2003, Holger Klawitter wrote: > Hi there, > > I have the problem that I need to have a group of users (namely postgres and > the dbadmin) with access to pg_hba.conf. > > As postgres (the user under with the process is actually running) cannot > obtain a shell, I need group access to the data directory in order to > configure postgres. > > drwxrwx--- 6 postgres postgres 4096 Jan 27 10:14 data/ > > However postgres refuses to start with 0770 permission. What about if you change just the pg_hba.conf file and not the directory? That is all dbadmin needs afterall. Nigel Andrews
Holger Klawitter <lists@klawitter.de> writes:
> As postgres (the user under with the process is actually running) cannot
> obtain a shell, I need group access to the data directory in order to
> configure postgres.
> [ so relax permissions on $PGDATA ]
Why is it more secure to relax permissions on $PGDATA than to undo your
choice not to have a login shell for postgres?
In very many environments, 0770 protection would be a disaster. I do
not think it is a good idea to allow that permission to be set, not
even configurably.
regards, tom lane
Thanks for your answer,
> In very many environments, 0770 protection would be a disaster. I do
> not think it is a good idea to allow that permission to be set, not
> even configurably.
The problem whether 0770 is a disaster strongly depends on the settings of the
group memberships. Group memberships are often neclected and I share to your
concerns. I also agree that /data/base and such really not the business of
anyone else, even dbadmin. And no doubts whatsoever regarding 0777.
But on the other hand, the current situation makes it really hard to establish
a role based authorization scheme implemented using group memberships. Every
service has a unique user and group and every admin belonges to all groups
which he or she should be able to configure. All services are jailed into
their repective user account with shell access.
Postgres is the only service on my machine fighting that scheme. Someone
already suggested to temporarily change the PGDATA permission during startup.
I prefer to circumvent the check by placing softlinks inside /data for all
relevant files. I count on you not adding another check for each file :-)
But perhaps I've overseen something with role based service management. If
there is a bad flaw, please tell me...
With kind regards / mit freundlichem Gruß
Holger Klawitter
--
Holger Klawitter http://www.klawitter.de
lists@klawitter.de
Holger Klawitter <lists@klawitter.de> writes:
> I prefer to circumvent the check by placing softlinks inside /data for all
> relevant files. I count on you not adding another check for each file :-)
That seems like a workable solution, and it has the advantage that only
those files that really need it have to be placed where the dbadmin
group can get at them.
regards, tom lane