Обсуждение: EL7 and Apache private /tmp/ directories
Greetings,
In EL7 (RHEL+CentOS), as a security measure, Apache processes get a private /tmp/ directory [1]. As a result, this means that any Apache processes attempting to connect to postgresql using a domain socket will be unable to connect.
EL7 (and Fedora) address this problem by updating the following setting in postgresql.conf [2]
Thanks,
James
[1] https://fedoraproject.org/wiki/Features/ServicesPrivateTmp
[2] http://bugzilla.redhat.com/825448
[3] http://pkgs.fedoraproject.org/cgit/postgresql.git/tree/postgresql-var-run-socket.patch
In EL7 (RHEL+CentOS), as a security measure, Apache processes get a private /tmp/ directory [1]. As a result, this means that any Apache processes attempting to connect to postgresql using a domain socket will be unable to connect.
EL7 (and Fedora) address this problem by updating the following setting in postgresql.conf [2]
unix_socket_directories = '/var/run/postgresql, /tmp'
And by modifying DEFAULT_PGSOCKET_DIR in pg_config_manual.h [3].
-#define DEFAULT_PGSOCKET_DIR "/tmp"
+#define DEFAULT_PGSOCKET_DIR "/var/run/postgresql"
Can these changes be included in the EL7 RPMs provided at yum.postgresql.org?
Thanks,
James
[1] https://fedoraproject.org/wiki/Features/ServicesPrivateTmp
[2] http://bugzilla.redhat.com/825448
[3] http://pkgs.fedoraproject.org/cgit/postgresql.git/tree/postgresql-var-run-socket.patch
Hi, Thanks for the heads-up. New PostgreSQL minor releases are due next week, and I'll queue this for that. Regards, Devrim On Thu, 2015-04-30 at 20:02 -0400, James Laska wrote: > Greetings, > > In EL7 (RHEL+CentOS), as a security measure, Apache processes get a private > /tmp/ directory [1]. As a result, this means that any Apache processes > attempting to connect to postgresql using a domain socket will be unable to > connect. > > EL7 (and Fedora) address this problem by updating the following setting in > postgresql.conf [2] > > unix_socket_directories = '/var/run/postgresql, /tmp' > > > > And by modifying DEFAULT_PGSOCKET_DIR in pg_config_manual.h [3]. > > -#define DEFAULT_PGSOCKET_DIR "/tmp" > > +#define DEFAULT_PGSOCKET_DIR "/var/run/postgresql" > > > > Can these changes be included in the EL7 RPMs provided at yum.postgresql.org > ? > > Thanks, > James > > [1] https://fedoraproject.org/wiki/Features/ServicesPrivateTmp > [2] http://bugzilla.redhat.com/825448 > [3] > http://pkgs.fedoraproject.org/cgit/postgresql.git/tree/postgresql-var-run-socket.patch -- Devrim GÜNDÜZ Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer Twitter: @DevrimGunduz , @DevrimGunduzTR
Вложения
On Tue, May 12, 2015 at 3:59 PM, Devrim Gündüz <devrim@gunduz.org> wrote:
Thanks for the heads-up. New PostgreSQL minor releases are due next
week, and I'll queue this for that.
Greetings Devrim,
I noticed additional changes will be needed in the next EL7 build. Since /run (and /var/run) are a tmpfs mounted at boot, the postgresql.spec will also need to create `/var/run/postgresql` on bootup. Otherwise, postgresql will fail to start on boot as the socket directory is not present. This is fixed by using systemd-tmpfiles.
I noticed additional changes will be needed in the next EL7 build. Since /run (and /var/run) are a tmpfs mounted at boot, the postgresql.spec will also need to create `/var/run/postgresql` on bootup. Otherwise, postgresql will fail to start on boot as the socket directory is not present. This is fixed by using systemd-tmpfiles.
The postgresql.spec will need to be updated to include, and install, a tmpfiles.d conf file. The relevant postgresql.spec changes, and additional postgresql.tmpfiles.d %{source} are available at http://pkgs.fedoraproject.org/cgit/postgresql.git/tree/postgresql.spec.
Thanks,
James