Thread: Small correction in chown command to set the owner of the pgsql data dir correctly
Small correction in chown command to set the owner of the pgsql data dir correctly
From
PG Doc comments form
Date:
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/13/creating-cluster.html Description: "root# mkdir /usr/local/pgsql root# chown postgres /usr/local/pgsql root# su postgres postgres$ initdb -D /usr/local/pgsql/data" If these steps are followed then it still fails to initialize the DB as chown only gives ownership to the pgsql directory but not the child directories under pgsql, where potentially a data directory is to be created by a new user. And it fails giving a output like this "The files belonging to this database system will be owned by user "postgres". This user must also own the server process. The database cluster will be initialized with locales COLLATE: en_IN.UTF-8 CTYPE: en_IN.UTF-8 MESSAGES: en_IN.UTF-8 MONETARY: en_IN NUMERIC: en_IN TIME: en_IN The default database encoding has accordingly been set to "UTF8". The default text search configuration will be set to "english". Data page checksums are disabled. fixing permissions on existing directory /usr/local/pgsql/data ... initdb: error: could not change permissions of directory "/usr/local/pgsql/data": Operation not permitted" Now if we recursively give permission with chown to the pgsql dir with "root# chown -R postgres /usr/local/pgsql", the potential data directory now also has ownership given to postgres user and the init db command succeeds "The files belonging to this database system will be owned by user "postgres". This user must also own the server process. The database cluster will be initialized with locales COLLATE: en_IN.UTF-8 CTYPE: en_IN.UTF-8 MESSAGES: en_IN.UTF-8 MONETARY: en_IN NUMERIC: en_IN TIME: en_IN The default database encoding has accordingly been set to "UTF8". The default text search configuration will be set to "english". Data page checksums are disabled. fixing permissions on existing directory /usr/local/pgsql/data ... ok creating subdirectories ... ok selecting dynamic shared memory implementation ... posix selecting default max_connections ... 100 selecting default shared_buffers ... 128MB selecting default time zone ... Asia/**** creating configuration files ... ok running bootstrap script ... ok performing post-bootstrap initialization ... ok syncing data to disk ... ok initdb: warning: enabling "trust" authentication for local connections You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb. Success. You can now start the database server using: pg_ctl -D /usr/local/pgsql/data -l logfile start" Thus, it successfully sets the cluster.
Re: Small correction in chown command to set the owner of the pgsql data dir correctly
From
"David G. Johnston"
Date:
On Saturday, February 6, 2021, PG Doc comments form <noreply@postgresql.org> wrote:
The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/13/creating-cluster.html
Description:
"root# mkdir /usr/local/pgsql
root# chown postgres /usr/local/pgsql
root# su postgres
postgres$ initdb -D /usr/local/pgsql/data"
If these steps are followed then it still fails to initialize the DB as
chown only gives ownership to the pgsql directory but not the child
directories under pgsql,
If you follow those four steps exclusively then at the fourth step there are no child directories since step one created the pgsql directory and neither step two nor three created any other directories.
The reader has already been told that if the directory being pointed to exists it must be owned by postgres.
David J.
Re: Small correction in chown command to set the owner of the pgsql data dir correctly
From
Tom Lane
Date:
"David G. Johnston" <david.g.johnston@gmail.com> writes: > On Saturday, February 6, 2021, PG Doc comments form <noreply@postgresql.org> > wrote: >> "root# mkdir /usr/local/pgsql >> root# chown postgres /usr/local/pgsql >> root# su postgres >> postgres$ initdb -D /usr/local/pgsql/data" >> If these steps are followed then it still fails to initialize the DB as >> chown only gives ownership to the pgsql directory but not the child >> directories under pgsql, > If you follow those four steps exclusively then at the fourth step there > are no child directories since step one created the pgsql directory and > neither step two nor three created any other directories. Yeah. The OP must have followed some other process in order to get to >> fixing permissions on existing directory /usr/local/pgsql/data ... initdb: >> error: could not change permissions of directory "/usr/local/pgsql/data": >> Operation not permitted" More to the point, it seems to me that recommending "chown -R" on the *parent* directory is not merely unsafe but an actual security hole. There are plenty of scenarios where the data directory's parent ought not be owned by the postgres user, and any other child directories even less so. An example is where the parent is a filesystem mount point. (Admittedly, the manual does suggest adding an intermediate level of postgres-owned directory in such a case, but lots of people don't bother.) If we're going to have people picking and choosing which parts of that script they're going to follow exactly, having a step in it that's as dangerous as "chown -R" just seems like a really bad idea. regards, tom lane