Re: Improved security for https://www.postgresql.org/docs/current/install-make.html
| От | Bear Giles |
|---|---|
| Тема | Re: Improved security for https://www.postgresql.org/docs/current/install-make.html |
| Дата | |
| Msg-id | CALBNtw69sj1dDrvmjpS_eG8TSCupF-1XHm6od8ugNNqWbcNw3Q@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Improved security for https://www.postgresql.org/docs/current/install-make.html (Peter Eisentraut <peter@eisentraut.org>) |
| Ответы |
Re: Improved security for https://www.postgresql.org/docs/current/install-make.html
|
| Список | pgsql-docs |
You'll want to update the existing page then! :-)
My point was mostly that I did a fresh 'git clone', followed the instructions, and was immediately hit by a "permission denied" error because the make script tried to create a directory under /usr/local. It wasn't clear whether that was the only thing that required root access. The script I provided was one approach, but it can be greatly simplified if all that's required is creating the directory and chancing its ownership prior to running the 'make install'.
(I still think it's a Good Idea to separate compilation and deployment/'installation but that's a separate issue.)
Bear
On Mon, Nov 11, 2024 at 8:32 AM Peter Eisentraut <peter@eisentraut.org> wrote:
On 06.11.24 22:58, PG Doc comments form wrote:
> The 'short' script can then be rewritten as
>
> ```
> # work done as a regular user
> ./configure
> make build
>
> # work that requires ROOT access
> su
> mkdir /usr/local/pgsql/data
> chown (current user):(current group) /usr/local/pgsql
> adduser --system --group postgres
> exit
>
> # work that requires POSTGRES access
> su -u postgres
> make install installdirs
> exit
We don't want the installed files to be owned by postgres. That would
mean that a compromised PostgreSQL server (running as "postgres") could
overwrite its own installation files. You don't have to use "root" for
the installation, of course, but it should be separate from "postgres".
В списке pgsql-docs по дате отправления: