Thread: heads up -- subtle change of behavior of new initdb

heads up -- subtle change of behavior of new initdb

From
Joe Conway
Date:
I just noticed tonight that the new initdb introduced a subtle change of 
behavior. I use a shell script to automate the process of
- rm old data directory
- mkdir new data directory
- initdb
- load from pgdumpall
Now, that second step is not needed, but as of today it produces an 
installation that won't start due to improper permissions on data

Thought it was worth mentioning, or possibly reinstating old behavior.

Joe



Re: heads up -- subtle change of behavior of new initdb

From
Tom Lane
Date:
Joe Conway <mail@joeconway.com> writes:
> I just noticed tonight that the new initdb introduced a subtle change of 
> behavior. I use a shell script to automate the process of
> - rm old data directory
> - mkdir new data directory
> - initdb
> - load from pgdumpall
> Now, that second step is not needed, but as of today it produces an 
> installation that won't start due to improper permissions on data

That's a bug --- evidently the "fix permissions" path of control is
wrong; can you take a look?
        regards, tom lane


Re: heads up -- subtle change of behavior of new initdb

From
Joe Conway
Date:
Tom Lane wrote:
> Joe Conway <mail@joeconway.com> writes:
>>Now, that second step is not needed, but as of today it produces an
>>installation that won't start due to improper permissions on data
>
> That's a bug --- evidently the "fix permissions" path of control is
> wrong; can you take a look?

Here's a small patch. I think this is all that's needed.

Joe
Index: src/bin/initdb/initdb.c
===================================================================
RCS file: /opt/src/cvs/pgsql-server/src/bin/initdb/initdb.c,v
retrieving revision 1.7
diff -c -r1.7 initdb.c
*** src/bin/initdb/initdb.c    13 Nov 2003 23:46:31 -0000    1.7
--- src/bin/initdb/initdb.c    14 Nov 2003 07:46:22 -0000
***************
*** 2345,2350 ****
--- 2345,2353 ----

          made_new_pgdata = true;
      }
+     else
+         /* already exists, but make sure permissions are correct */
+         chmod(pg_data, 0700);

      /* Create required subdirectories */


Re: heads up -- subtle change of behavior of new initdb

From
Andrew Dunstan
Date:
darnit!

patch attached.

(Thinks - do we need to worry about suid sgid and sticky bits on data dir?)

andrew

Tom Lane wrote:

>Joe Conway <mail@joeconway.com> writes:
>
>
>>I just noticed tonight that the new initdb introduced a subtle change of
>>behavior. I use a shell script to automate the process of
>>- rm old data directory
>>- mkdir new data directory
>>- initdb
>>- load from pgdumpall
>>Now, that second step is not needed, but as of today it produces an
>>installation that won't start due to improper permissions on data
>>
>>
>
>That's a bug --- evidently the "fix permissions" path of control is
>wrong; can you take a look?
>
>
>
>
? .deps
? initdb
Index: initdb.c
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/bin/initdb/initdb.c,v
retrieving revision 1.7
diff -c -w -r1.7 initdb.c
*** initdb.c    13 Nov 2003 23:46:31 -0000    1.7
--- initdb.c    14 Nov 2003 06:47:50 -0000
***************
*** 2345,2350 ****
--- 2345,2359 ----

          made_new_pgdata = true;
      }
+     else
+     {
+         printf("fixing permissions on existing directory %s... ",pg_data);
+         fflush(stdout);
+         if (!chmod(pg_data,0700))
+             exit_nicely();
+         else
+             check_ok();
+     }

      /* Create required subdirectories */


Re: heads up -- subtle change of behavior of new initdb

From
Greg Stark
Date:
> +         if (!chmod(pg_data,0700))

Out of curiosity, what was the rationale for using 0700? I know it was a pain
for me when I had a script to monitor the tmp usage. Surely read access to
privileged users isn't really a problem? I'm thinking more of loosening the
paranoia check elsewhere rather than this default.

Wouldn't at least 0750 be safe? That way putting a user in the postgres group
would grant him access to be able to browse around and read the files in
pg_data.

Actually I should think 02750 would be better so that the group is inherited
by subdirectories.

-- 
greg



Re: heads up -- subtle change of behavior of new initdb

From
Peter Eisentraut
Date:
Greg Stark writes:

> Wouldn't at least 0750 be safe? That way putting a user in the postgres group
> would grant him access to be able to browse around and read the files in
> pg_data.

That assumes that there is a restricted postgres group, which is not
guaranteed.

-- 
Peter Eisentraut   peter_e@gmx.net



Re: heads up -- subtle change of behavior of new initdb

From
Andrew Dunstan
Date:
The shell script said this:
       $ECHO_N "fixing permissions on existing directory $PGDATA... 
"$ECHO_C       chmod go-rwx "$PGDATA" || exit_nicely

There's no more rationale than that for this patch.

I'm inclined to agree with you, though.

cheers

andrew


Greg Stark wrote:

>>+         if (!chmod(pg_data,0700))
>>    
>>
>
>Out of curiosity, what was the rationale for using 0700? I know it was a pain
>for me when I had a script to monitor the tmp usage. Surely read access to
>privileged users isn't really a problem? I'm thinking more of loosening the
>paranoia check elsewhere rather than this default.
>
>Wouldn't at least 0750 be safe? That way putting a user in the postgres group
>would grant him access to be able to browse around and read the files in
>pg_data.
>
>Actually I should think 02750 would be better so that the group is inherited
>by subdirectories.
>
>  
>



Re: heads up -- subtle change of behavior of new initdb

From
Greg Stark
Date:
Peter Eisentraut <peter_e@gmx.net> writes:

> Greg Stark writes:
> 
> > Wouldn't at least 0750 be safe? That way putting a user in the postgres group
> > would grant him access to be able to browse around and read the files in
> > pg_data.
> 
> That assumes that there is a restricted postgres group, which is not
> guaranteed.

Well the current setup assumes the admin hasn't leaked the root password too.

I'm not suggesting making that the default setup, just loosening the paranoia
check so that if an admin sets the directory to be group readable the database
doesn't refuse to start up.

-- 
greg



Re: heads up -- subtle change of behavior of new initdb

From
Tom Lane
Date:
Greg Stark <gsstark@mit.edu> writes:
> I'm not suggesting making that the default setup, just loosening the
> paranoia check so that if an admin sets the directory to be group
> readable the database doesn't refuse to start up.

In previous discussions of this point, paranoia was considered desirable.
I don't think the situation has changed.
        regards, tom lane


Re: [PATCHES] heads up -- subtle change of behavior of new initdb

From
Tom Lane
Date:
Andrew Dunstan <andrew@dunslane.net> writes:
> darnit!
> patch attached.

Applied with correction (you got the return-value check backwards)
and further work to deal reasonably with error conditions occurring
in check_data_dir.

            regards, tom lane

Re: heads up -- subtle change of behavior of new initdb

From
Andrew Dunstan
Date:
Tom Lane wrote:

>Greg Stark <gsstark@mit.edu> writes:
>  
>
>>I'm not suggesting making that the default setup, just loosening the
>>paranoia check so that if an admin sets the directory to be group
>>readable the database doesn't refuse to start up.
>>    
>>
>
>In previous discussions of this point, paranoia was considered desirable.
>I don't think the situation has changed.
>
>  
>
Would it be worth having a command line option to relax the paranoia a 
bit, leaving the current paranoia setting as the default? I guess it 
would have to be on the command line because IIRC this is checked before 
we ever look at the config file.

cheers

andrew



Re: heads up -- subtle change of behavior of new initdb

From
Bruce Momjian
Date:
Patch applied.  Thanks.

---------------------------------------------------------------------------


Andrew Dunstan wrote:
>
> darnit!
>
> patch attached.
>
> (Thinks - do we need to worry about suid sgid and sticky bits on data dir?)
>
> andrew
>
> Tom Lane wrote:
>
> >Joe Conway <mail@joeconway.com> writes:
> >
> >
> >>I just noticed tonight that the new initdb introduced a subtle change of
> >>behavior. I use a shell script to automate the process of
> >>- rm old data directory
> >>- mkdir new data directory
> >>- initdb
> >>- load from pgdumpall
> >>Now, that second step is not needed, but as of today it produces an
> >>installation that won't start due to improper permissions on data
> >>
> >>
> >
> >That's a bug --- evidently the "fix permissions" path of control is
> >wrong; can you take a look?
> >
> >
> >
> >

> ? .deps
> ? initdb
> Index: initdb.c
> ===================================================================
> RCS file: /projects/cvsroot/pgsql-server/src/bin/initdb/initdb.c,v
> retrieving revision 1.7
> diff -c -w -r1.7 initdb.c
> *** initdb.c    13 Nov 2003 23:46:31 -0000    1.7
> --- initdb.c    14 Nov 2003 06:47:50 -0000
> ***************
> *** 2345,2350 ****
> --- 2345,2359 ----
>
>           made_new_pgdata = true;
>       }
> +     else
> +     {
> +         printf("fixing permissions on existing directory %s... ",pg_data);
> +         fflush(stdout);
> +         if (!chmod(pg_data,0700))
> +             exit_nicely();
> +         else
> +             check_ok();
> +     }
>
>       /* Create required subdirectories */
>

>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: [PATCHES] heads up -- subtle change of behavior of new

From
Bruce Momjian
Date:
Tom Lane wrote:
> Andrew Dunstan <andrew@dunslane.net> writes:
> > darnit!
> > patch attached.
>
> Applied with correction (you got the return-value check backwards)
> and further work to deal reasonably with error conditions occurring
> in check_data_dir.

Tom applied it before I could.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: [PATCHES] heads up -- subtle change of behavior of

From
Andrew Dunstan
Date:
Tom Lane wrote:

>Andrew Dunstan <andrew@dunslane.net> writes:
>
>
>>darnit!
>>patch attached.
>>
>>
>
>Applied with correction (you got the return-value check backwards)
>and further work to deal reasonably with error conditions occurring
>in check_data_dir.
>

darnit again.

I'm taking a break - my head is swimming with Java, JavaScript, Perl,
HTML and XML/XSL from my real (i.e. paying) work, and context switching
is causing massive mental thrashing.

cheers

andrew