Thread: recent Debian Postgres security update
Hi! I use debian woody and postgres version 7.2.1 which. i am tring to keep my system up with official debian fixes and updates. I did the usual apt-get update && apt-get upgrade and forgot to configure in pg_hba.conf 'local all trust'. Now it seemingly works all right but i am worried about the message it gave: Sorry! I need unrestricted access in /etc/postgresql/pg_hba.conf to update the databases. I wonder if you could give me advice what to do to 'update the databases' properly or should i be worried at all about it? Or i am all right until next fix when the trouble begins for me? I looked around and saw that one place which contains this Sorry! etc thing ise enable_lang script which executes in turn createlang script. In my case the following query produces output like that template1=# select * from pg_language; lanname | lanispl | lanpltrusted | lanplcallfoid | lancompiler ----------+---------+--------------+---------------+------------- internal | f | f | 0 | n/a C | f | f | 0 | /bin/cc sql | f | f | 0 | postgres plpgsql | t | t | 291431 | Or should i just issue 'enable_lang --all' or better use backups sooner the better ... Best Regards, Imre Oolberg I just thought to bring forward also the whole transcript on messages bash# apt-get upgrade Get:1 http://security.debian.org woody/updates/main python2.1 2.1.3-3.2 [1592kB] Get:2 http://security.debian.org woody/updates/main python 2.1.3-3.2 [25.5kB] Get:3 http://security.debian.org woody/updates/main libpgsql2 7.2.1-2woody2 [65.2kB] Get:4 http://security.debian.org woody/updates/main postgresql-client 7.2.1-2woody2 [280kB] Get:5 http://security.debian.org woody/updates/main postgresql 7.2.1-2woody2 [1550kB] Fetched 3514kB in 3s (955kB/s) Reading changelogs...Done apt-listchanges: Do you want to continue [Y/n]? (Reading database ... 18312 files and directories currently installed.) Preparing to replace python2.1 2.1.3-3.1 (using .../python2.1_2.1.3-3.2_i386.deb) ... Unpacking replacement python2.1 ... Preparing to replace python 2.1.3-3.1 (using .../python_2.1.3-3.2_all.deb) ... Unpacking replacement python ... Preparing to replace libpgsql2 7.2.1-2 (using .../libpgsql2_7.2.1-2woody2_i386.deb) ... Unpacking replacement libpgsql2 ... Preparing to replace postgresql-client 7.2.1-2 (using .../postgresql-client_7.2.1-2woody2_i386.deb) ... Unpacking replacement postgresql-client ... Preparing to replace postgresql 7.2.1-2 (using .../postgresql_7.2.1-2woody2_i386.deb) ... Stopping PostgreSQL database: postmaster Stopped /usr/lib/postgresql/bin/postmaster (pid 5106 5107 5109 13336). . Found an existing database directory at /var/lib/postgres/data The installed database is of the same version as the one to be installed. You do not need to dump your database for reloading. Stopping PostgreSQL database: postmaster Stopped /usr/lib/postgresql/bin/postmaster (pid 5106 5107 5109 13336). . Unpacking replacement postgresql ... Setting up libpgsql2 (7.2.1-2woody2) ... Setting up postgresql-client (7.2.1-2woody2) ... The file /etc/postgresql/postgresql.env provides the normal set-up for an ordinary user running PostgreSQL. It is automatically read by the wrapper script for PostgreSQL user commands in postgresql-client. Setting up python2.1 (2.1.3-3.2) ... Setting up postgresql (7.2.1-2woody2) ... Restarting PostgreSQL database: postmaster No /usr/lib/postgresql/bin/postmaster found running; none killed. Starting PostgreSQL postmaster. postmaster successfully started . Enabling the PL procedural language in all PostgreSQL databases... Sorry! I need unrestricted access in /etc/postgresql/pg_hba.conf to update the databases. And in the syslog are the following appropriate section Sep 12 23:12:18 postgres[5106]: [1] DEBUG: smart shutdown request Sep 12 23:12:18 postgres[10236]: [2] FATAL 1: This connection has been terminated by the administrator. Sep 12 23:12:18 postgres[12923]: [2] FATAL 1: This connection has been terminated by the administrator. Sep 12 23:12:18 postgres[12924]: [2] FATAL 1: This connection has been terminated by the administrator. Sep 12 23:12:18 postgres[12925]: [2] FATAL 1: This connection has been terminated by the administrator. Sep 12 23:12:18 postgres[12933]: [2] FATAL 1: This connection has been terminated by the administrator. Sep 12 23:12:18 postgres[13033]: [2] FATAL 1: This connection has been terminated by the administrator. Sep 12 23:12:18 postgres[21322]: [2] FATAL 1: This connection has been terminated by the administrator. Sep 12 23:12:18 postgres[13336]: [2] DEBUG: shutting down Sep 12 23:12:20 postgres[13336]: [3] DEBUG: database system is shut down Sep 12 23:12:37 postgres[13483]: [1] DEBUG: database system was shut down at 2002-09-12 23:12:20 EEST Sep 12 23:12:37 postgres[13483]: [2] DEBUG: checkpoint record is at 0/9A3907C Sep 12 23:12:37 postgres[13483]: [3] DEBUG: redo record is at 0/9A3907C; undo record is at 0/0; shutdown TRUE Sep 12 23:12:37 postgres[13483]: [4] DEBUG: next transaction id: 299775; next oid: 323503 Sep 12 23:12:37 postgres[13483]: [5] DEBUG: database system is ready
On Thu, 2002-09-12 at 22:58, Imre Oolberg wrote: > Hi! > > I use debian woody and postgres > version 7.2.1 which. i am tring to keep my system up with official debian > fixes and updates. > > I did the usual apt-get update && apt-get upgrade and forgot to configure > in pg_hba.conf 'local all trust'. Now it seemingly works all right but i > am worried about the message it gave: > > Sorry! I need unrestricted access in /etc/postgresql/pg_hba.conf to update > the databases. > > I wonder if you could give me advice what to do to 'update the databases' > properly or should i be worried at all about it? Or i am all right until > next fix when the trouble begins for me? > > I looked around and saw that one place which contains this Sorry! etc > thing ise enable_lang script which executes in turn createlang script. > In my case the following query produces output like that > > > template1=# select * from pg_language; > lanname | lanispl | lanpltrusted | lanplcallfoid | lancompiler > ----------+---------+--------------+---------------+------------- > internal | f | f | 0 | n/a > C | f | f | 0 | /bin/cc > sql | f | f | 0 | postgres > plpgsql | t | t | 291431 | > > Or should i just issue 'enable_lang --all' or better use backups sooner > the better ... In fact this query should have been sent to the Debian debian-user mailing list or to me as Debian maintainer. You can't expect the upstream PostgreSQL community to deal with distribution packaging issues. You can contact any package maintainer by emailing <package>@packages.debian.org (substituting the package name for <package>). You don't have any particular problem here. The package will install plpgsql, plperl and pltcl in every database if it can. Since your pg_hba.conf didn't allow that, it didn't happen. All it means is that you need to install them for yourself if you want them. For some of its operations, particularly where an initdb and reload of data is required, the install script will rewrite pg_hdb.conf to give itself access. I can't think at the moment if I simply don't do that for this particular operation or if something has gone wrong with it. -- Oliver Elphick Oliver.Elphick@lfix.co.uk Isle of Wight, UK http://www.lfix.co.uk/oliver GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "Let the wicked forsake his way, and the unrighteous man his thoughts; and let him return unto the LORD, and He will have mercy upon him; and to our God, for he will abundantly pardon." Isaiah 55:7