Thread: archive command Permission Denied?
Please bear with me. I am fairly new to Linux.
I am working on archiving my WAL files. For now I am just mailing myself a list of the directory contents using the following script.
-rwxr-xr-x 1 postgres postgres 87 Oct 28 20:23 /var/lib/pgsql/mail-WAL-list.sh
the contents are simply
ls -lrt /var/lib/pgsql/data/pg_xlog/ | mail -s "WAL files are:" myemail@mydomain.com
I also have this set up to run in the postgres users cron at 8 a.m.
I can run this when logged on as postgres and the cron runs fine as well, but I keep seeing the following in my logs.
LOG: archive command failed with exit code 126
DETAIL: The failed archive command was: /var/lib/pgsql/mail-WAL-list.sh
WARNING: transaction log file "0000000100000000000000F0" could not be archived: too many failures
sh: /var/lib/pgsql/mail-WAL-list.sh: Permission denied
I would appreciate any advice on what permission I need to set in order for this command to run.
I am working on archiving my WAL files. For now I am just mailing myself a list of the directory contents using the following script.
-rwxr-xr-x 1 postgres postgres 87 Oct 28 20:23 /var/lib/pgsql/mail-WAL-list.sh
the contents are simply
ls -lrt /var/lib/pgsql/data/pg_xlog/ | mail -s "WAL files are:" myemail@mydomain.com
I also have this set up to run in the postgres users cron at 8 a.m.
I can run this when logged on as postgres and the cron runs fine as well, but I keep seeing the following in my logs.
LOG: archive command failed with exit code 126
DETAIL: The failed archive command was: /var/lib/pgsql/mail-WAL-list.sh
WARNING: transaction log file "0000000100000000000000F0" could not be archived: too many failures
sh: /var/lib/pgsql/mail-WAL-list.sh: Permission denied
I would appreciate any advice on what permission I need to set in order for this command to run.
-- Thank you for your time, Jason Long CEO and Chief Software Engineer BS Physics, MS Chemical Engineering http://www.octgsoftware.com HJBug Founder and President http://www.hjbug.com
Jason Long <mailing.list@supernovasoftware.com> writes:
> I am working on archiving my WAL files. For now I am just mailing
> myself a list of the directory contents using the following script.
> *-rwxr-xr-x 1 postgres postgres 87 Oct 28 20:23
> /var/lib/pgsql/mail-WAL-list.sh*
> I can run this when logged on as postgres and the cron runs fine as
> well, but I keep seeing the following in my logs.
> *LOG: archive command failed with exit code 126
> DETAIL: The failed archive command was: /var/lib/pgsql/mail-WAL-list.sh
> WARNING: transaction log file "0000000100000000000000F0" could not be
> archived: too many failures
> sh: /var/lib/pgsql/mail-WAL-list.sh: Permission denied*
That's just bizarre. The permissions on the script itself seem to be
fine, so the only theory that comes to mind is the server doesn't have
search (x) permission on one of the containing directory levels ... but
that's hard to believe seeing that your data directory is inside the
same tree.
[ thinks... ] I believe that some flavors of Unix are picky about shell
scripts having a proper introducer line. I'm not sure that would
manifest as "Permission denied", but does it work better if you
put "#! /bin/sh" as the first line of the script file?
regards, tom lane
I wrote:
> That's just bizarre. The permissions on the script itself seem to be
> fine, so the only theory that comes to mind is the server doesn't have
> search (x) permission on one of the containing directory levels ...
Oh, wait, I bet I've got it: you're using a SELinux-enabled system and
SELinux doesn't believe that it's a good idea to let the Postgres server
execute something out of its data directory. That would explain why the
other methods of executing the script work --- typical SELinux policy is
a lot stricter on network-exposed daemon processes than other stuff.
If that is what's happening, you'll find "avc denied" messages in the
system log that correlate to the archive failures.
The solution I'd recommend is putting the script someplace that's more
usual to store scripts. You might be able to do something with changing
the "security context" on the script file instead, but I'm not sure
exactly what to change it to.
regards, tom lane
Tom Lane wrote:
I am using Centos 5.2 and is looks like there is SELinux. This is the first time it has caused me a problem so far.I wrote:That's just bizarre. The permissions on the script itself seem to be fine, so the only theory that comes to mind is the server doesn't have search (x) permission on one of the containing directory levels ...Oh, wait, I bet I've got it: you're using a SELinux-enabled system and SELinux doesn't believe that it's a good idea to let the Postgres server execute something out of its data directory.
I did not see anything like this in my logs.That would explain why the other methods of executing the script work --- typical SELinux policy is a lot stricter on network-exposed daemon processes than other stuff. If that is what's happening, you'll find "avc denied" messages in the system log that correlate to the archive failures.
I moved this inside the postgres data directory. I will post back the results. If this does not work I will have my Linux consultant have a look. Thank you very much for the advice.The solution I'd recommend is putting the script someplace that's more usual to store scripts.
You might be able to do something with changing the "security context" on the script file instead, but I'm not sure exactly what to change it to. regards, tom lane
Jason Long <mailing.list@supernovasoftware.com> writes:
> Tom Lane wrote:
>> If that is what's happening, you'll find "avc denied" messages in the
>> system log that correlate to the archive failures.
>>
> *I did not see anything like this in my logs.*
You'd need to look in the system log (/var/log/messages) not the
postmaster's log.
regards, tom lane
Tom Lane wrote:
less /var/log/message
and
less /var/log/secure
I saw nothing that looked related to this.
This does seem a little strange. I will definitely post back my finding when I resolve this.
I did not look in the postmasters logs. I looked inJason Long <mailing.list@supernovasoftware.com> writes:Tom Lane wrote:If that is what's happening, you'll find "avc denied" messages in the system log that correlate to the archive failures.*I did not see anything like this in my logs.*You'd need to look in the system log (/var/log/messages) not the postmaster's log.
less /var/log/message
and
less /var/log/secure
I saw nothing that looked related to this.
This does seem a little strange. I will definitely post back my finding when I resolve this.
regards, tom lane
Tom Lane wrote:
I got this error
/usr/sbin/sendmail: Permission denied
So I guess I need to allow the use of sendmail.
How is postgres running the command different from my doing it as the postgres user or cron running as the postgres user?
Oh, well time to call my Linux guru. Thanks for all your help. You definitely got me going tin the right direction.
I think I found the problem. By putting the archive command directly in postgresql.confJason Long <mailing.list@supernovasoftware.com> writes:Tom Lane wrote:If that is what's happening, you'll find "avc denied" messages in the system log that correlate to the archive failures.*I did not see anything like this in my logs.*You'd need to look in the system log (/var/log/messages) not the postmaster's log.
I got this error
/usr/sbin/sendmail: Permission denied
So I guess I need to allow the use of sendmail.
How is postgres running the command different from my doing it as the postgres user or cron running as the postgres user?
Oh, well time to call my Linux guru. Thanks for all your help. You definitely got me going tin the right direction.
regards, tom lane
Jason Long <mailing.list@supernovasoftware.com> writes:
> I got this error
> /usr/sbin/sendmail: Permission denied
> So I guess I need to allow the use of sendmail.
> How is postgres running the command different from my doing it as the
> postgres user or cron running as the postgres user?
SELinux treats it differently: programs that are run as
network-accessible daemons get locked down to do only what the SELinux
policy says they should be able to do.
This is not unreasonable --- if someone managed to crack into your
Apache server, for instance, you'd be really glad that they weren't able
to use the breach to spam the world from your machine.
However, if you want your Postgres server able to do things not listed
in the SELinux policy for it, you'll need to adjust that policy. Or
disable SELinux ... but I don't really recommend doing that if your
machine is at all exposed to the internet.
regards, tom lane
Tom Lane wrote:
You were dead on. That was it. I disabled SELinux and it worked. Thank you very much for your advice.Jason Long <mailing.list@supernovasoftware.com> writes:I got this error /usr/sbin/sendmail: Permission denied So I guess I need to allow the use of sendmail.How is postgres running the command different from my doing it as the postgres user or cron running as the postgres user?SELinux treats it differently: programs that are run as network-accessible daemons get locked down to do only what the SELinux policy says they should be able to do. This is not unreasonable --- if someone managed to crack into your Apache server, for instance, you'd be really glad that they weren't able to use the breach to spam the world from your machine. However, if you want your Postgres server able to do things not listed in the SELinux policy for it, you'll need to adjust that policy. Or disable SELinux ... but I don't really recommend doing that if your machine is at all exposed to the internet. regards, tom lane
Thank you for your time, Jason Long CEO and Chief Software Engineer BS Physics, MS Chemical Engineering http://www.octgsoftware.com HJBug Founder and President http://www.hjbug.com