On 9/1/22 6:31 PM, Jeffrey Walton wrote:
> On Thu, Sep 1, 2022 at 8:51 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>
>> "Peter J. Holzer" <hjp-pgsql@hjp.at> writes:
>>> However, the symlink doesn't seem to be the culprit. If I run
>>> % sudo -u postgres -H /usr/lib/postgresql/13/bin/psql
>>> (which is not a symlink)
>>> I get the same behaviour. So it seems that psql changes to its basedir
>>> and then can't change back again.
>>
>> Ah --- looking closer at that code, it will chdir *before* checking
>> whether the target file is a symlink, which is probably unnecessarily
>> stupid. I'm wondering whether we could drop that logic altogether [1],
>> but that won't help you today.
>>
>> I concur with the other person asking why you want to sudo to postgres
>> at all, though. It's generally safest if the client side isn't running
>> as the same user as the server.
>
> The use case is an install of DefectDojo [2]. I _think_ they are
> taking advantage of the fact that as root, you don't need to
> authenticate because of postgresql's use of domain sockets. (Hat tip
> for that, by the way). The installer code will install packages, setup
> the database, install the DefectDojo programs, etc.
You are not running as root(Postgres won't allow you do this anyway) you
are running as postgres system user and the authentication is handled by
pg_hba.conf. I'm also betting that if you look at pg_hba.conf it is set
up to do peer authentication and hence the need to be postgres system
user. You can obtain a similar result in pg_hba.conf with:
TYPE DATABASE USER ADDRESS METHOD
local all postgres trust
Then you could eliminate the whole sudo dance.
Or set up:
TYPE DATABASE USER ADDRESS METHOD
host postgres all <some_host> scram-
sha-256
if you want password protection.
>
> Jeff
>
>> [1] https://www.postgresql.org/message-id/797232.1662075573%40sss.pgh.pa.us
> [2] https://github.com/DefectDojo/godojo
>
>
--
Adrian Klaver
adrian.klaver@aklaver.com