Re: Putting the O/S user for "local" "peer" authentication in the "postgres" group vs chmod'ing the "pg*.conf" files to be readable by "all"
| От | Adrian Klaver |
|---|---|
| Тема | Re: Putting the O/S user for "local" "peer" authentication in the "postgres" group vs chmod'ing the "pg*.conf" files to be readable by "all" |
| Дата | |
| Msg-id | 8a3deda3-73ba-25bf-527d-dba758156e5f@aklaver.com обсуждение исходный текст |
| Ответ на | Re: Putting the O/S user for "local" "peer" authentication in the "postgres" group vs chmod'ing the "pg*.conf" files to be readable by "all" (Bryn Llewellyn <bryn@yugabyte.com>) |
| Список | pgsql-general |
On 11/1/22 13:20, Bryn Llewellyn wrote: >> david.g.johnston@gmail.com <mailto:david.g.johnston@gmail.com> wrote: >> > > <aside> > I know that I've been told off for allowing "sudo" for "postgres". I'm > only experimenting on my laptop. But I want to be able to stop the > server, delete the datafiles, create a new cluster, and then start that > using a single script. I can't use "pg_ctl stop/start" because it > expects to find its config files on the data directory. (That's a > different story. And I'm not ready to ask about that yet.) So I use > "sudo systemctl stop/start postgresql" because this method looks in the > right place for the config files. If you are going to use the Debian/Ubuntu packaging then you will need to follow its "rules". See here: https://wiki.debian.org/PostgreSql https://ubuntu.com/server/docs/databases-postgresql Also do: man pg_wrapper Your best bet is to systemctl to start stop Postgres, but if you want to use pg_ctl then you need to use the wrapped version. As example: pg_lsclusters Ver Cluster Port Status Owner Data directory Log file 14 main 5432 online postgres /var/lib/postgresql/14/main /var/log/postgresql/postgresql-14-main.log 15 main 5434 down postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log sudo pg_ctlcluster stop 14/main pg_lsclusters Ver Cluster Port Status Owner Data directory Log file 14 main 5432 down postgres /var/lib/postgresql/14/main /var/log/postgresql/postgresql-14-main.log 15 main 5434 down postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log sudo pg_ctlcluster start 14/main pg_lsclusters Ver Cluster Port Status Owner Data directory Log file 14 main 5432 online postgres /var/lib/postgresql/14/main /var/log/postgresql/postgresql-14-main.log 15 main 5434 down postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log There are more pg_*cluster* wrapped commands: pg_archivecleanup pg_buildext pg_createcluster pg_dump pg_lsclusters pg_recvlogical pg_restorecluster pg_virtualenv pg_backupcluster pg_config pg_ctlcluster pg_dumpall pg_receivewal pg_renamecluster pg_updatedicts pg_basebackup pg_conftool pg_dropcluster pg_isready pg_receivexlog pg_restore pg_upgradecluster > </aside> > > Here's what my "pg_hba.conf" has: > > * local all bob peer* > > My experiment shows that my attempt to authorize as "bob" using > "local", "peer" authorization fails when every config file is readable > only by "owner" and "group". And it shows that a sufficient fix is to > make just "postgresql.conf" readable by "all" (as I believe is the > intention). Of course, an alternative fix (in the sesne that it would > work) would be to have "postgresql.conf" not readable by all but to put > "bob" in the "postgres" group. > > All this leads to an obvious question: > > *«* > *Given that all of the config files have been made readable by "group" > (in contrast to the regime for the data files), what is the intention of > this design? In other words, when is it proper to put an O/S user in the > "postgres" group? After all, if the answer is "never" than no privileges > on "postgres/postgres" files would ever have been granted to "group".* > *»* > > > > > > > -- Adrian Klaver adrian.klaver@aklaver.com
В списке pgsql-general по дате отправления: