Thread: heads up -- subtle change of behavior of new initdb
I just noticed tonight that the new initdb introduced a subtle change of behavior. I use a shell script to automate the process of - rm old data directory - mkdir new data directory - initdb - load from pgdumpall Now, that second step is not needed, but as of today it produces an installation that won't start due to improper permissions on data Thought it was worth mentioning, or possibly reinstating old behavior. Joe
Joe Conway <mail@joeconway.com> writes: > I just noticed tonight that the new initdb introduced a subtle change of > behavior. I use a shell script to automate the process of > - rm old data directory > - mkdir new data directory > - initdb > - load from pgdumpall > Now, that second step is not needed, but as of today it produces an > installation that won't start due to improper permissions on data That's a bug --- evidently the "fix permissions" path of control is wrong; can you take a look? regards, tom lane
Tom Lane wrote: > Joe Conway <mail@joeconway.com> writes: >>Now, that second step is not needed, but as of today it produces an >>installation that won't start due to improper permissions on data > > That's a bug --- evidently the "fix permissions" path of control is > wrong; can you take a look? Here's a small patch. I think this is all that's needed. Joe Index: src/bin/initdb/initdb.c =================================================================== RCS file: /opt/src/cvs/pgsql-server/src/bin/initdb/initdb.c,v retrieving revision 1.7 diff -c -r1.7 initdb.c *** src/bin/initdb/initdb.c 13 Nov 2003 23:46:31 -0000 1.7 --- src/bin/initdb/initdb.c 14 Nov 2003 07:46:22 -0000 *************** *** 2345,2350 **** --- 2345,2353 ---- made_new_pgdata = true; } + else + /* already exists, but make sure permissions are correct */ + chmod(pg_data, 0700); /* Create required subdirectories */
darnit! patch attached. (Thinks - do we need to worry about suid sgid and sticky bits on data dir?) andrew Tom Lane wrote: >Joe Conway <mail@joeconway.com> writes: > > >>I just noticed tonight that the new initdb introduced a subtle change of >>behavior. I use a shell script to automate the process of >>- rm old data directory >>- mkdir new data directory >>- initdb >>- load from pgdumpall >>Now, that second step is not needed, but as of today it produces an >>installation that won't start due to improper permissions on data >> >> > >That's a bug --- evidently the "fix permissions" path of control is >wrong; can you take a look? > > > > ? .deps ? initdb Index: initdb.c =================================================================== RCS file: /projects/cvsroot/pgsql-server/src/bin/initdb/initdb.c,v retrieving revision 1.7 diff -c -w -r1.7 initdb.c *** initdb.c 13 Nov 2003 23:46:31 -0000 1.7 --- initdb.c 14 Nov 2003 06:47:50 -0000 *************** *** 2345,2350 **** --- 2345,2359 ---- made_new_pgdata = true; } + else + { + printf("fixing permissions on existing directory %s... ",pg_data); + fflush(stdout); + if (!chmod(pg_data,0700)) + exit_nicely(); + else + check_ok(); + } /* Create required subdirectories */
> + if (!chmod(pg_data,0700)) Out of curiosity, what was the rationale for using 0700? I know it was a pain for me when I had a script to monitor the tmp usage. Surely read access to privileged users isn't really a problem? I'm thinking more of loosening the paranoia check elsewhere rather than this default. Wouldn't at least 0750 be safe? That way putting a user in the postgres group would grant him access to be able to browse around and read the files in pg_data. Actually I should think 02750 would be better so that the group is inherited by subdirectories. -- greg
Greg Stark writes: > Wouldn't at least 0750 be safe? That way putting a user in the postgres group > would grant him access to be able to browse around and read the files in > pg_data. That assumes that there is a restricted postgres group, which is not guaranteed. -- Peter Eisentraut peter_e@gmx.net
The shell script said this: $ECHO_N "fixing permissions on existing directory $PGDATA... "$ECHO_C chmod go-rwx "$PGDATA" || exit_nicely There's no more rationale than that for this patch. I'm inclined to agree with you, though. cheers andrew Greg Stark wrote: >>+ if (!chmod(pg_data,0700)) >> >> > >Out of curiosity, what was the rationale for using 0700? I know it was a pain >for me when I had a script to monitor the tmp usage. Surely read access to >privileged users isn't really a problem? I'm thinking more of loosening the >paranoia check elsewhere rather than this default. > >Wouldn't at least 0750 be safe? That way putting a user in the postgres group >would grant him access to be able to browse around and read the files in >pg_data. > >Actually I should think 02750 would be better so that the group is inherited >by subdirectories. > > >
Peter Eisentraut <peter_e@gmx.net> writes: > Greg Stark writes: > > > Wouldn't at least 0750 be safe? That way putting a user in the postgres group > > would grant him access to be able to browse around and read the files in > > pg_data. > > That assumes that there is a restricted postgres group, which is not > guaranteed. Well the current setup assumes the admin hasn't leaked the root password too. I'm not suggesting making that the default setup, just loosening the paranoia check so that if an admin sets the directory to be group readable the database doesn't refuse to start up. -- greg
Greg Stark <gsstark@mit.edu> writes: > I'm not suggesting making that the default setup, just loosening the > paranoia check so that if an admin sets the directory to be group > readable the database doesn't refuse to start up. In previous discussions of this point, paranoia was considered desirable. I don't think the situation has changed. regards, tom lane
Andrew Dunstan <andrew@dunslane.net> writes: > darnit! > patch attached. Applied with correction (you got the return-value check backwards) and further work to deal reasonably with error conditions occurring in check_data_dir. regards, tom lane
Tom Lane wrote: >Greg Stark <gsstark@mit.edu> writes: > > >>I'm not suggesting making that the default setup, just loosening the >>paranoia check so that if an admin sets the directory to be group >>readable the database doesn't refuse to start up. >> >> > >In previous discussions of this point, paranoia was considered desirable. >I don't think the situation has changed. > > > Would it be worth having a command line option to relax the paranoia a bit, leaving the current paranoia setting as the default? I guess it would have to be on the command line because IIRC this is checked before we ever look at the config file. cheers andrew
Patch applied. Thanks. --------------------------------------------------------------------------- Andrew Dunstan wrote: > > darnit! > > patch attached. > > (Thinks - do we need to worry about suid sgid and sticky bits on data dir?) > > andrew > > Tom Lane wrote: > > >Joe Conway <mail@joeconway.com> writes: > > > > > >>I just noticed tonight that the new initdb introduced a subtle change of > >>behavior. I use a shell script to automate the process of > >>- rm old data directory > >>- mkdir new data directory > >>- initdb > >>- load from pgdumpall > >>Now, that second step is not needed, but as of today it produces an > >>installation that won't start due to improper permissions on data > >> > >> > > > >That's a bug --- evidently the "fix permissions" path of control is > >wrong; can you take a look? > > > > > > > > > ? .deps > ? initdb > Index: initdb.c > =================================================================== > RCS file: /projects/cvsroot/pgsql-server/src/bin/initdb/initdb.c,v > retrieving revision 1.7 > diff -c -w -r1.7 initdb.c > *** initdb.c 13 Nov 2003 23:46:31 -0000 1.7 > --- initdb.c 14 Nov 2003 06:47:50 -0000 > *************** > *** 2345,2350 **** > --- 2345,2359 ---- > > made_new_pgdata = true; > } > + else > + { > + printf("fixing permissions on existing directory %s... ",pg_data); > + fflush(stdout); > + if (!chmod(pg_data,0700)) > + exit_nicely(); > + else > + check_ok(); > + } > > /* Create required subdirectories */ > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Tom Lane wrote: > Andrew Dunstan <andrew@dunslane.net> writes: > > darnit! > > patch attached. > > Applied with correction (you got the return-value check backwards) > and further work to deal reasonably with error conditions occurring > in check_data_dir. Tom applied it before I could. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Tom Lane wrote: >Andrew Dunstan <andrew@dunslane.net> writes: > > >>darnit! >>patch attached. >> >> > >Applied with correction (you got the return-value check backwards) >and further work to deal reasonably with error conditions occurring >in check_data_dir. > darnit again. I'm taking a break - my head is swimming with Java, JavaScript, Perl, HTML and XML/XSL from my real (i.e. paying) work, and context switching is causing massive mental thrashing. cheers andrew