Thread: archive command Permission Denied?

archive command Permission Denied?

From
Jason Long
Date:
Please bear with me.  I am fairly new to Linux.

I am working on archiving my WAL files.  For now I am just mailing myself a list of the directory contents using the following script.

-rwxr-xr-x 1 postgres postgres 87 Oct 28 20:23 /var/lib/pgsql/mail-WAL-list.sh

the contents are simply

ls -lrt /var/lib/pgsql/data/pg_xlog/ | mail -s "WAL files are:" myemail@mydomain.com

I also have this set up to run in the postgres users cron at 8 a.m.

I can run this when logged on as postgres and the cron runs fine as well, but I keep seeing the following in my logs.

LOG:  archive command failed with exit code 126
DETAIL:  The failed archive command was: /var/lib/pgsql/mail-WAL-list.sh
WARNING:  transaction log file "0000000100000000000000F0" could not be archived: too many failures
sh: /var/lib/pgsql/mail-WAL-list.sh: Permission denied


I would appreciate any advice on what permission I need to set in order for this command to run.
-- 
Thank you for your time,

Jason Long
CEO and Chief Software Engineer
BS Physics, MS Chemical Engineering
http://www.octgsoftware.com
HJBug Founder and President
http://www.hjbug.com

Re: archive command Permission Denied?

From
Tom Lane
Date:
Jason Long <mailing.list@supernovasoftware.com> writes:
> I am working on archiving my WAL files.  For now I am just mailing
> myself a list of the directory contents using the following script.

> *-rwxr-xr-x 1 postgres postgres 87 Oct 28 20:23
> /var/lib/pgsql/mail-WAL-list.sh*

> I can run this when logged on as postgres and the cron runs fine as
> well, but I keep seeing the following in my logs.

> *LOG:  archive command failed with exit code 126
> DETAIL:  The failed archive command was: /var/lib/pgsql/mail-WAL-list.sh
> WARNING:  transaction log file "0000000100000000000000F0" could not be
> archived: too many failures
> sh: /var/lib/pgsql/mail-WAL-list.sh: Permission denied*

That's just bizarre.  The permissions on the script itself seem to be
fine, so the only theory that comes to mind is the server doesn't have
search (x) permission on one of the containing directory levels ... but
that's hard to believe seeing that your data directory is inside the
same tree.

[ thinks... ]  I believe that some flavors of Unix are picky about shell
scripts having a proper introducer line.  I'm not sure that would
manifest as "Permission denied", but does it work better if you
put "#! /bin/sh" as the first line of the script file?

            regards, tom lane

Re: archive command Permission Denied?

From
Tom Lane
Date:
I wrote:
> That's just bizarre.  The permissions on the script itself seem to be
> fine, so the only theory that comes to mind is the server doesn't have
> search (x) permission on one of the containing directory levels ...

Oh, wait, I bet I've got it: you're using a SELinux-enabled system and
SELinux doesn't believe that it's a good idea to let the Postgres server
execute something out of its data directory.  That would explain why the
other methods of executing the script work --- typical SELinux policy is
a lot stricter on network-exposed daemon processes than other stuff.

If that is what's happening, you'll find "avc denied" messages in the
system log that correlate to the archive failures.

The solution I'd recommend is putting the script someplace that's more
usual to store scripts.  You might be able to do something with changing
the "security context" on the script file instead, but I'm not sure
exactly what to change it to.

            regards, tom lane

Re: archive command Permission Denied?

From
Jason Long
Date:
Tom Lane wrote:
I wrote: 
That's just bizarre.  The permissions on the script itself seem to be
fine, so the only theory that comes to mind is the server doesn't have
search (x) permission on one of the containing directory levels ...   
Oh, wait, I bet I've got it: you're using a SELinux-enabled system and
SELinux doesn't believe that it's a good idea to let the Postgres server
execute something out of its data directory. 
I am using Centos 5.2 and is looks like there is SELinux.  This is the first time it has caused me a problem so far.

 That would explain why the
other methods of executing the script work --- typical SELinux policy is
a lot stricter on network-exposed daemon processes than other stuff.

If that is what's happening, you'll find "avc denied" messages in the
system log that correlate to the archive failures.
 
I did not see anything like this in my logs.
The solution I'd recommend is putting the script someplace that's more
usual to store scripts.  
I moved this inside the postgres data directory.  I will post back the results.  If this does not work I will have my Linux consultant have a look.  Thank you very much for the advice.
You might be able to do something with changing
the "security context" on the script file instead, but I'm not sure
exactly what to change it to.
		regards, tom lane 

Re: archive command Permission Denied?

From
Tom Lane
Date:
Jason Long <mailing.list@supernovasoftware.com> writes:
> Tom Lane wrote:
>> If that is what's happening, you'll find "avc denied" messages in the
>> system log that correlate to the archive failures.
>>
> *I did not see anything like this in my logs.*

You'd need to look in the system log (/var/log/messages) not the
postmaster's log.

            regards, tom lane

Re: archive command Permission Denied?

From
Jason Long
Date:
Tom Lane wrote:
Jason Long <mailing.list@supernovasoftware.com> writes: 
Tom Lane wrote:   
If that is what's happening, you'll find "avc denied" messages in the
system log that correlate to the archive failures.
     
*I did not see anything like this in my logs.*   
You'd need to look in the system log (/var/log/messages) not the
postmaster's log. 
I did not look in the postmasters logs.  I looked in

less /var/log/message
and
less /var/log/secure

I saw nothing that looked related to this.
This does seem a little strange.  I will definitely post back my finding when I resolve this.
		regards, tom lane 

Re: archive command Permission Denied?

From
Jason Long
Date:
Tom Lane wrote:
Jason Long <mailing.list@supernovasoftware.com> writes: 
Tom Lane wrote:   
If that is what's happening, you'll find "avc denied" messages in the
system log that correlate to the archive failures.
     
*I did not see anything like this in my logs.*   
You'd need to look in the system log (/var/log/messages) not the
postmaster's log. 
I think I found the problem.  By putting the archive command directly in postgresql.conf

I got this error

/usr/sbin/sendmail: Permission denied

So I guess I need to allow the use of sendmail.

How is postgres running the command different from my doing it as the postgres user or cron running as the postgres user?

Oh, well time to call my Linux guru.  Thanks for all your help.  You definitely got me going tin the right direction.

		regards, tom lane 

Re: archive command Permission Denied?

From
Tom Lane
Date:
Jason Long <mailing.list@supernovasoftware.com> writes:
> I got this error
> /usr/sbin/sendmail: Permission denied
> So I guess I need to allow the use of sendmail.

> How is postgres running the command different from my doing it as the
> postgres user or cron running as the postgres user?

SELinux treats it differently: programs that are run as
network-accessible daemons get locked down to do only what the SELinux
policy says they should be able to do.

This is not unreasonable --- if someone managed to crack into your
Apache server, for instance, you'd be really glad that they weren't able
to use the breach to spam the world from your machine.

However, if you want your Postgres server able to do things not listed
in the SELinux policy for it, you'll need to adjust that policy.  Or
disable SELinux ... but I don't really recommend doing that if your
machine is at all exposed to the internet.

            regards, tom lane

Re: archive command Permission Denied?

From
Jason Long
Date:
Tom Lane wrote:
Jason Long <mailing.list@supernovasoftware.com> writes: 
I got this error
/usr/sbin/sendmail: Permission denied
So I guess I need to allow the use of sendmail.   
 
How is postgres running the command different from my doing it as the 
postgres user or cron running as the postgres user?   
SELinux treats it differently: programs that are run as
network-accessible daemons get locked down to do only what the SELinux
policy says they should be able to do.

This is not unreasonable --- if someone managed to crack into your
Apache server, for instance, you'd be really glad that they weren't able
to use the breach to spam the world from your machine.

However, if you want your Postgres server able to do things not listed
in the SELinux policy for it, you'll need to adjust that policy.  Or
disable SELinux ... but I don't really recommend doing that if your
machine is at all exposed to the internet.
		regards, tom lane 
You were dead on.  That was it.  I disabled SELinux and it worked.  Thank you very much for your advice.
Thank you for your time,

Jason Long
CEO and Chief Software Engineer
BS Physics, MS Chemical Engineering
http://www.octgsoftware.com
HJBug Founder and President
http://www.hjbug.com