Обсуждение: Could not create a tablespace - permission denied

Поиск
Список
Период
Сортировка

Could not create a tablespace - permission denied

От
Graham Leggett
Дата:
Hi all,

While attempting to create a tablespace as the postgres user under RHEL5
with *no* SELinux enabled, I get the following error:

postgres=# CREATE TABLESPACE fma LOCATION '/home/chandler/fma/db/pgsql';
ERROR:  could not set permissions on directory
"/home/chandler/fma/db/pgsql": Permission denied

The user postgres is able to access the directory, and the user postgres
is able to set permissions on the directory to 0700:

-bash-3.1$ chmod 700 /home/chandler/fma/db/pgsql
-bash-3.1$

Does anyone know what I should do to fix this?

Regards,
Graham
--

Вложения

Re: Could not create a tablespace - permission denied

От
Tom Lane
Дата:
Graham Leggett <minfrin@sharp.fm> writes:
> While attempting to create a tablespace as the postgres user under RHEL5
> with *no* SELinux enabled, I get the following error:

> postgres=# CREATE TABLESPACE fma LOCATION '/home/chandler/fma/db/pgsql';
> ERROR:  could not set permissions on directory
> "/home/chandler/fma/db/pgsql": Permission denied

> The user postgres is able to access the directory, and the user postgres
> is able to set permissions on the directory to 0700:

> -bash-3.1$ chmod 700 /home/chandler/fma/db/pgsql

If you can do that from a shell running as postgres, then I think
selinux is not so disabled as you think.  Ordinary file permissions are
applied uniformly to all processes running as a given userid, but
selinux is different.

            regards, tom lane

Re: Could not create a tablespace - permission denied

От
Graham Leggett
Дата:
Tom Lane wrote:

> If you can do that from a shell running as postgres, then I think
> selinux is not so disabled as you think.  Ordinary file permissions are
> applied uniformly to all processes running as a given userid, but
> selinux is different.

SELinux is definitely not present on this machine - it is not installed
at all.

At it turned out, the postgresql server had cached the system user
permissions, and it only started working after postgresql had been
restarted and the cached credentials had been replaced.

Regards,
Graham
--

Вложения

Re: Could not create a tablespace - permission denied

От
Tom Lane
Дата:
Graham Leggett <minfrin@sharp.fm> writes:
> At it turned out, the postgresql server had cached the system user
> permissions, and it only started working after postgresql had been
> restarted and the cached credentials had been replaced.

I think this explanation is fiction ... there is no "cacheing of
credentials" in there that I know about.

Maybe the server had not been running under the userid you thought it
was?  But it would have to match the ownership of the data directory,
so it's hard to see how a simple restart would fix it.

[ thinks... ]  Hm, is the tablespace directory mounted over NFS?
I *have* heard of strange cacheing behaviors on NFS.  In fact,
NFS has enough weirdnesses that I wouldn't recommend running a
database over it ...

            regards, tom lane

Re: Could not create a tablespace - permission denied

От
Graham Leggett
Дата:
Tom Lane wrote:

> I think this explanation is fiction ... there is no "cacheing of
> credentials" in there that I know about.
>
> Maybe the server had not been running under the userid you thought it
> was?  But it would have to match the ownership of the data directory,
> so it's hard to see how a simple restart would fix it.
>
> [ thinks... ]  Hm, is the tablespace directory mounted over NFS?
> I *have* heard of strange cacheing behaviors on NFS.  In fact,
> NFS has enough weirdnesses that I wouldn't recommend running a
> database over it ...

The server is a standard REHL5 installed copy of postgresql, running as
the postgres user (as is standard on RHE5). Both the data directory and
the tablespace are running on ext3 filesystems local to the machine,
there are no NFS mounts anywhere. The machine does not have SELinux
installed, never mind enabled.

After the postgres user was granted permission to access the tablespace
directory, and after it was verified that the postgres user was able to
access the tablespace directory, postgresql refused to allow the
tablespace to be created until the postgresql server was restarted.

Regards,
Graham
--

Вложения

Re: Could not create a tablespace - permission denied

От
"Joshua D. Drake"
Дата:
Graham Leggett wrote:

> After the postgres user was granted permission to access the tablespace
> directory, and after it was verified that the postgres user was able to
> access the tablespace directory, postgresql refused to allow the
> tablespace to be created until the postgresql server was restarted.

I am pretty sure you are missing something. I can not reproduce your issue:

jd@scratch:~$ mkdir /tmp/foo
jd@scratch:~$ psql -U postgres
postgres=# \h create tablespace
Command:     CREATE TABLESPACE
Description: define a new tablespace
Syntax:
CREATE TABLESPACE tablespacename [ OWNER username ] LOCATION 'directory'

postgres=# create tablespace foobar location '/tmp/foo';
ERROR:  could not set permissions on directory "/tmp/foo": Operation not
permitted
postgres=#
[1]+  Stopped                 psql -U postgres
jd@scratch:~$ sudo su -
[sudo] password for jd:
root@scratch:~# chown postgres:postgres /tmp/foo
root@scratch:~# exit
logout
jd@scratch:~$ fg
psql -U postgres

postgres=# create tablespace foobar location '/tmp/foo';
CREATE TABLESPACE
postgres=#

But I am glad your problem is resolved.

Joshua D. Drake

Re: Could not create a tablespace - permission denied

От
Tom Lane
Дата:
Graham Leggett <minfrin@sharp.fm> writes:
> Tom Lane wrote:
>> I think this explanation is fiction ... there is no "cacheing of
>> credentials" in there that I know about.

> The server is a standard REHL5 installed copy of postgresql, running as
> the postgres user (as is standard on RHE5). Both the data directory and
> the tablespace are running on ext3 filesystems local to the machine,
> there are no NFS mounts anywhere. The machine does not have SELinux
> installed, never mind enabled.

> After the postgres user was granted permission to access the tablespace
> directory, and after it was verified that the postgres user was able to
> access the tablespace directory, postgresql refused to allow the
> tablespace to be created until the postgresql server was restarted.

Fascinating.  I think what you're describing must be a kernel bug ---
want to see if you can reproduce it without PG involved?  Just make a
test program that chmod's, sleeps awhile, and chmod's again, and
manually change the permissions while it's sleeping, in the same way
that you did in the problem case.

            regards, tom lane

Re: Could not create a tablespace - permission denied

От
Graham Leggett
Дата:
Joshua D. Drake wrote:

> I am pretty sure you are missing something. I can not reproduce your issue:

Do it like this:

- mkdir /tmp/foo
- chown user:user /tmp/foo
- edit /etc/group and add postgres to the group user
- attempt to access /tmp/foo as the user postgres, at this point a user
logged in as postgres will be able to access the directory.
- attempt to create a tablespace on /tmp/foo, this will fail until
postgresql is restarted, after which the attempt will succeed.

Regards,
Graham
--

Вложения

Re: Could not create a tablespace - permission denied

От
"Joshua D. Drake"
Дата:
Graham Leggett wrote:
> Joshua D. Drake wrote:
>
>> I am pretty sure you are missing something. I can not reproduce your
>> issue:
>
> Do it like this:
>
> - mkdir /tmp/foo
> - chown user:user /tmp/foo
> - edit /etc/group and add postgres to the group user

Aha! there it is. Adding a user to a group doesn't mean anything until
that user reinitializes the environment. That is why restarting
postgresql resolves the issue. When postgresql is started, is actually
launches a new shell as the user and the fact that they are part of the
group is picked up.


Sincerely,

Joshua D. Drake




Re: Could not create a tablespace - permission denied

От
Tom Lane
Дата:
"Joshua D. Drake" <jd@commandprompt.com> writes:
> Graham Leggett wrote:
>> - edit /etc/group and add postgres to the group user

> Aha! there it is. Adding a user to a group doesn't mean anything until
> that user reinitializes the environment.

In particular, it looks like the list of groups you belong to is
typically only computed at login time (or equivalently su -l, which
is what's happening in the postgres init script), and then just
inherited by all processes launched from that login.  So there is
caching of a sort going on here, but it's in the kernel and there's
nothing we can do about it.

            regards, tom lane