Postgres Pro
Downloads
Home   >   mailing lists

Thread: Small correction in chown command to set the owner of the pgsql data dir correctly

Small correction in chown command to set the owner of the pgsql data dir correctly

From
PG Doc comments form
Date:
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/13/creating-cluster.html
Description:

"root# mkdir /usr/local/pgsql
root# chown postgres /usr/local/pgsql
root# su postgres
postgres$ initdb -D /usr/local/pgsql/data"
If these steps are followed then it still fails to initialize the DB as
chown only gives ownership to the pgsql directory but not the child
directories under pgsql, where potentially a data directory is to be created
by a new user. And it fails giving a output like this
"The files belonging to this database system will be owned by user
"postgres".
This user must also own the server process.

The database cluster will be initialized with locales
COLLATE:  en_IN.UTF-8
CTYPE:    en_IN.UTF-8
MESSAGES: en_IN.UTF-8
MONETARY: en_IN
NUMERIC:  en_IN
TIME:     en_IN
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /usr/local/pgsql/data ... initdb:
error: could not change permissions of directory "/usr/local/pgsql/data":
Operation not permitted"

Now if we recursively give permission with chown to the pgsql dir with 
"root# chown -R postgres /usr/local/pgsql", the potential data directory now
also has ownership given to postgres user and the init db command succeeds

"The files belonging to this database system will be owned by user
"postgres".
This user must also own the server process.

The database cluster will be initialized with locales
COLLATE:  en_IN.UTF-8
CTYPE:    en_IN.UTF-8
MESSAGES: en_IN.UTF-8
MONETARY: en_IN
NUMERIC:  en_IN
TIME:     en_IN
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /usr/local/pgsql/data ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Asia/****
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

pg_ctl -D /usr/local/pgsql/data -l logfile start"

Thus, it successfully sets the cluster.

Re: Small correction in chown command to set the owner of the pgsql data dir correctly

From
"David G. Johnston"
Date:
On Saturday, February 6, 2021, PG Doc comments form <noreply@postgresql.org> wrote:
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/13/creating-cluster.html
Description:

"root# mkdir /usr/local/pgsql
root# chown postgres /usr/local/pgsql
root# su postgres
postgres$ initdb -D /usr/local/pgsql/data"
If these steps are followed then it still fails to initialize the DB as
chown only gives ownership to the pgsql directory but not the child
directories under pgsql,

If you follow those four steps exclusively then at the fourth step there are no child directories since step one created the pgsql directory and neither step two nor three created any other directories.

The reader has already been told that if the directory being pointed to exists it must be owned by postgres.

David J.

Re: Small correction in chown command to set the owner of the pgsql data dir correctly

From
Tom Lane
Date:
"David G. Johnston" <david.g.johnston@gmail.com> writes:
> On Saturday, February 6, 2021, PG Doc comments form <noreply@postgresql.org>
> wrote:
>> "root# mkdir /usr/local/pgsql
>> root# chown postgres /usr/local/pgsql
>> root# su postgres
>> postgres$ initdb -D /usr/local/pgsql/data"
>> If these steps are followed then it still fails to initialize the DB as
>> chown only gives ownership to the pgsql directory but not the child
>> directories under pgsql,

> If you follow those four steps exclusively then at the fourth step there
> are no child directories since step one created the pgsql directory and
> neither step two nor three created any other directories.

Yeah.  The OP must have followed some other process in order to get to

>> fixing permissions on existing directory /usr/local/pgsql/data ... initdb:
>> error: could not change permissions of directory "/usr/local/pgsql/data":
>> Operation not permitted"

More to the point, it seems to me that recommending "chown -R" on the
*parent* directory is not merely unsafe but an actual security hole.
There are plenty of scenarios where the data directory's parent ought
not be owned by the postgres user, and any other child directories even
less so.  An example is where the parent is a filesystem mount point.
(Admittedly, the manual does suggest adding an intermediate level
of postgres-owned directory in such a case, but lots of people don't
bother.)

If we're going to have people picking and choosing which parts of that
script they're going to follow exactly, having a step in it that's as
dangerous as "chown -R" just seems like a really bad idea.

            regards, tom lane