Thread: /var/lib/pgsql 0755

Hi,

Postgres requires that the data dir is restricted:
2021-05-27 13:39:44.002 EDT [23409] FATAL:  data directory "/var/lib/pgsql/pgsql14.jtp" has invalid permissions
2021-05-27 13:39:44.002 EDT [23409] DETAIL:  Permissions should be u=rwx (0700) or u=rwx,g=rx (0750).

But the server package creates /v/l/pgsql as mode 700, and rpm resets the perms
on every installation.

[pryzbyj@database ~]$ rpm -qvl postgresql14-server-14-beta1_3PGDG.rhel7.x86_64 |grep var/lib
drwx------    2 postgrespostgres                    0 May 21 06:18 /var/lib/pgsql
drwx------    2 postgrespostgres                    0 May 21 06:18 /var/lib/pgsql/14
drwx------    2 postgrespostgres                    0 May 21 06:18 /var/lib/pgsql/14/backups
drwx------    2 postgrespostgres                    0 May 21 06:18 /var/lib/pgsql/14/data

That seems unnecessarily restrictive, since I might put something like logs
underneath there, and I'd prefer to be able to look for them, tab complete
them, maybe even look *at* them, depending on log_file_mode, and the
permissions that *I* set on the subdir.  I might just want to "ls"/tab complete
to know which version dir to use.  In my deployment script, I go to the effort
to set it back to 00755 for convenience.

Maybe the mode 700 stuff is leftover from old packages which didn't include a
version ?  Either in the package name or as a subdir.

There's not many base pakages which do this:
rpm -qlav |grep '^drwx.*root *root' |grep -v ^drwxr-xr-x |awk -F/ '!/audit|firewall|tmp|lvm/ && NF<5'

Would you consider setting at least /v/l/p to mode 755?  And maybe the version
subdirs (like 14) too.

-- 
Justin

Not at all,

we normally just have about 3 users (used) on the servers:
root, postgres and a monitoring user. 

We directly login into the postgres user (ssh key | auditing through bastion host if necessary | no password set). 

In the past most suid bit binaries were forbidden by policy and on most System this still is the way to go. 

Markus

> Am 27.05.2021 um 20:50 schrieb Justin Pryzby <pryzby@telsasoft.com>:
> 
> On Thu, May 27, 2021 at 06:40:40PM +0000, Markus Bräunig wrote:
>> I thought as long as /v/l/p is the homedir of postgres user we should be carefully with changes like this. 
> 
> I think you mean that you do things like "sudo -iu postgres" to open an
> interactive shell.  Probably because you want to "cd" into the dir and "ls".
> 
> I imagine that's common, but is itself strange to me.  You can just "ls" the
> dir without sudo without opening an interactive shell, and do anything else,
> too.  Which is safer (avoids the risk of then leaving the shell opened or
> running as the wrong user in the wrong window) and avoids starting down the
> path of running around the system putting on different users' "hats".
> 
> System users like this are for running their specific daemon, for isolation
> purposes and not for running interactive shells.  It shouldn't have a password
> set, either.
> 
>> We normally shift the data dir to other places and the log files as well. For the logfiles we use a separate group
combinedwith a sgid bit 
 
> 
> -- 
> Justin

Re: Justin Pryzby
> Would you consider setting at least /v/l/p to mode 755?  And maybe the version
> subdirs (like 14) too.

Fwiw these directories are 755 on Debian.

drwxr-xr-x 15 postgres postgres  4096 27. Mai 22:26 /var/lib/postgresql/
drwxr-xr-x  3 postgres postgres  4096 19. Apr 16:02 /var/lib/postgresql/10/
drwxr-xr-x  3 postgres postgres  4096 18. Aug 2020  /var/lib/postgresql/11/

But I can see the argument that the ~postgres HOME should be treated
with care.

Christoph