Thread: Suppress checking of chmod 700 on data-dir?
Hi postgresql-listmembers, for a backup-scenario I need to have access to the pgdata-directory as a different shell-user, but postgresqul refuses to start if chmod is not 700 on the directory. Is there a way to prevent postgres to check the data-dirs chmod 700 on startup (and while running) ? Thanks for your short replies. I could not figure it out in the documentation. Regards Johannes postgresql 8.2.4 on ubuntu dapper (if this question came 100times, I apologize for being unable to find it)
On fim, 2007-06-07 at 10:38 +0200, Johannes Konert wrote: > Hi postgresql-listmembers, > for a backup-scenario I need to have access to the pgdata-directory as a > different shell-user, but postgresqul refuses to start if chmod is not > 700 on the directory. > > Is there a way to prevent postgres to check the data-dirs chmod 700 on > startup (and while running) ? use sudo in your backup scenario, or run you backup as postgres gnari
> use sudo in your backup scenario, or run you backup as postgres > Thanks for your quick reply. Unfortunaltelly runing backup via sudo is not an option due to sercurity issues and using postgres-user is not feasable because other data as well is backuped where postgres-user should not have access to. So your answer means that there is definitelly NO way to circumwent the chmod 700 thing? Its hard to believe that. Each and evera thing is configurable in postgres, but I cannot disable or relax directory-permissions checking? Even not with a compile-option or something like that? Anyway thanks for your help. I'll keep searching for a solution. Regards Johannes
Ragnar wrote: >> are you planning a filesystem-level backup? >> >> are you aware that you cannot just backup the postgres data directories >> fro under a running server, and expect the >> backup to be usable? >> >> gnari >> As war as I understood the docu of psql 8.2.4 (http://www.postgresql.org/docs/8.2/interactive/continuous-archiving.html section 23.3.2) you can copy the files while postgres is running (respecting pg_start_backup and pg_stop_backup) But that is not my point. The question is where I can change the enforced chmod 700 postgresql always wants me to set. Regards Johannes :)
On Thu, 2007-06-07 at 12:57 +0200, Johannes Konert wrote: > > use sudo in your backup scenario, or run you backup as postgres > > > Thanks for your quick reply. > Unfortunaltelly runing backup via sudo is not an option due to sercurity > issues and using postgres-user is not feasable because other data as > well is backuped where postgres-user should not have access to. You could run the backup as postgres and pipe the output to another program owned by the other user and with suid set in its permissions. The suid means that the receiving program would have access where you don't want postgres to go. -- Oliver Elphick olly@lfix.co.uk Isle of Wight http://www.lfix.co.uk/oliver GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA ======================================== Do you want to know God? http://www.lfix.co.uk/knowing_god.html
Johannes Konert wrote: > Ragnar wrote: >>> are you planning a filesystem-level backup? > As war as I understood the docu of psql 8.2.4 > (http://www.postgresql.org/docs/8.2/interactive/continuous-archiving.html > section 23.3.2) you can copy the files while postgres is running > (respecting pg_start_backup and pg_stop_backup) > But that is not my point. The question is where I can change the > enforced chmod 700 postgresql always wants me to set. You can't. You can however change the postgresql.conf to put look for files somewhere besides $PGDATA and thus you would be able to back them up. Anything else in there you should be grabbing via pg_dump anyway. Joshua D. Drake > Regards Johannes :) > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Have you searched our list archives? > > http://archives.postgresql.org/ > -- === The PostgreSQL Company: Command Prompt, Inc. === Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240 Providing the most comprehensive PostgreSQL solutions since 1997 http://www.commandprompt.com/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate PostgreSQL Replication: http://www.commandprompt.com/products/
Joshua D. Drake wrote: > Johannes Konert wrote: >> But that is not my point. The question is where I can change the >> enforced chmod 700 postgresql always wants me to set. > You can't. > > You can however change the postgresql.conf to put look for files > somewhere besides $PGDATA and thus you would be able to back them up. With postgresql.conf I can change the path to the data-dir, but postgresql checks the chmod 700 on that directory either. So only the logfiles can be written and accessed somewhere else. The data itself is still only accessible by the postgres-user. > Anything else in there you should be grabbing via pg_dump anyway. So you suggest not to backup the filesystem-files, but to do a dump instead? Does this work together with PITR as described in 23.3. (http://www.postgresql.org/docs/8.2/interactive/continuous-archiving.html#BACKUP-BASE-BACKUP). I want to make a full backup every night of a heavy DB while it is running. Combined with short-term-WAL-archiving. Getting the WAL-files is easy by using the config-parameter archive_command, but to copy and backup the "base backup" once a day is impossible if I cannot access the data-files. Will the described backup&restore work as well with a dump + WAL-files? Then I could forget about copying the file-system-files....
On Mon, 2007-06-11 at 09:03 +0200, Johannes Konert wrote: > Joshua D. Drake wrote: > > Anything else in there you should be grabbing via pg_dump anyway. > So you suggest not to backup the filesystem-files, but to do a dump > instead? Does this work together with PITR as described in 23.3. > (http://www.postgresql.org/docs/8.2/interactive/continuous-archiving.html#BACKUP-BASE-BACKUP). > I want to make a full backup every night of a heavy DB while it is > running. Combined with short-term-WAL-archiving. Getting the WAL-files > is easy by using the config-parameter archive_command, but to copy and > backup the "base backup" once a day is impossible if I cannot access the > data-files. > Will the described backup&restore work as well with a dump + WAL-files? > Then I could forget about copying the file-system-files.... No, it won't, so I'm not sure what Josh means. -- Simon Riggs EnterpriseDB http://www.enterprisedb.com
Oliver Elphick wrote: > You could run the backup as postgres and pipe the output to another > program owned by the other user and with suid set in its permissions. > The suid means that the receiving program would have access where you > don't want postgres to go. Thanks Oliver, that was a good hint. Suids are not working on bash-scripts, but with a restricted entry in /etc/sudoers now the backup-user can execute a copy-and-access-script to get the files from within PGDATA-dir. Regards Johannes
At 2:05a -0400 on 12 Jun 2007, Johannes Konert wrote: > that was a good hint. Suids are not working on bash-scripts, but with a > restricted entry in /etc/sudoers now the backup-user can execute a > copy-and-access-script to get the files from within PGDATA-dir. If you're curious as to /why/ setuids don't work on scripts, this FAQ may be of interest: http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html Kevin