Re: How to make PostreSQL utilities honor home directories?
| От | Adrian Klaver |
|---|---|
| Тема | Re: How to make PostreSQL utilities honor home directories? |
| Дата | |
| Msg-id | ea685213-835c-8ffe-c806-69e2062ffdbe@aklaver.com обсуждение исходный текст |
| Ответ на | Re: How to make PostreSQL utilities honor home directories? (Jeffrey Walton <noloader@gmail.com>) |
| Ответы |
Re: How to make PostreSQL utilities honor home directories?
|
| Список | pgsql-general |
On 9/1/22 6:31 PM, Jeffrey Walton wrote: > On Thu, Sep 1, 2022 at 8:51 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: >> >> "Peter J. Holzer" <hjp-pgsql@hjp.at> writes: >>> However, the symlink doesn't seem to be the culprit. If I run >>> % sudo -u postgres -H /usr/lib/postgresql/13/bin/psql >>> (which is not a symlink) >>> I get the same behaviour. So it seems that psql changes to its basedir >>> and then can't change back again. >> >> Ah --- looking closer at that code, it will chdir *before* checking >> whether the target file is a symlink, which is probably unnecessarily >> stupid. I'm wondering whether we could drop that logic altogether [1], >> but that won't help you today. >> >> I concur with the other person asking why you want to sudo to postgres >> at all, though. It's generally safest if the client side isn't running >> as the same user as the server. > > The use case is an install of DefectDojo [2]. I _think_ they are > taking advantage of the fact that as root, you don't need to > authenticate because of postgresql's use of domain sockets. (Hat tip > for that, by the way). The installer code will install packages, setup > the database, install the DefectDojo programs, etc. You are not running as root(Postgres won't allow you do this anyway) you are running as postgres system user and the authentication is handled by pg_hba.conf. I'm also betting that if you look at pg_hba.conf it is set up to do peer authentication and hence the need to be postgres system user. You can obtain a similar result in pg_hba.conf with: TYPE DATABASE USER ADDRESS METHOD local all postgres trust Then you could eliminate the whole sudo dance. Or set up: TYPE DATABASE USER ADDRESS METHOD host postgres all <some_host> scram- sha-256 if you want password protection. > > Jeff > >> [1] https://www.postgresql.org/message-id/797232.1662075573%40sss.pgh.pa.us > [2] https://github.com/DefectDojo/godojo > > -- Adrian Klaver adrian.klaver@aklaver.com
В списке pgsql-general по дате отправления: