From: | "Andrew Dunstan" <andrew(at)dunslane(dot)net> |
---|---|
To: | <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: What goes into the security doc? |
Date: | 2003-01-24 15:36:43 |
Message-ID: | 002b01c2c3be$68262c90$1a01000a@rduadunstan2 |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs pgsql-hackers |
man su says (on Linux):
-s, --shell=SHELL
run SHELL if /etc/shells allows it
Illustration:
[adunsta:adunsta]$ su -s /bin/tcsh - -c 'ps -f $$'
Password:
UID PID PPID C STIME TTY STAT TIME CMD
root 10682 10681 0 10:34 pts/0 S 0:00 -tcsh -c ps -f $$
[adunsta:adunsta]$
So setting /bin/true as the login shell prevents real logins but doesn't
prevent running commands as the user via su, even from a login shell.
andrew
----- Original Message -----
From: "Dan Langille" <dan(at)langille(dot)org>
To: "Christopher Kings-Lynne" <chriskl(at)familyhealth(dot)com(dot)au>
Cc: <pgsql-hackers(at)postgresql(dot)org>
Sent: Friday, January 24, 2003 10:00 AM
Subject: Re: [HACKERS] What goes into the security doc?
> On 22 Jan 2003 at 13:29, Christopher Kings-Lynne wrote:
>
> > Recommend always running "initdb -W" and setting all pg_hba entries to
md5.
>
> Thanks. I also encountered this item on IRC:
>
> [09:26] <fede2> Guys, is there a problem with using /bin/true of
> /bin/false as the shell of the postgres user? The docs only says
> "adduser postgres" , witch will give postgres a nice shell.
> [09:27] <fede2> I'm asking because the guys from Gentoo (thats a
> distro FWIW), want to use either /bin/false of /bin/true as postgres'
> shell.
> [09:27] <dvl> fede2: it means you won't be able to become the
> postgres user to run commands.
> [09:27] <mmc_> ... to run SHELL commands.
> [09:29] <fede2> dvl: Aldo it's not the same, one could use "su -c foo
> postgres" to workarround it.
> [09:30] <fede2> dvl: I was wondering if it had an even heavier
> reason, besides that.
> [09:34] <mmc_> fede2: tha manpage of su says, that -c args is treated
> by the login shell !
> [09:35] <fede2> mmc_: Hmm.. true. That makes it a heavy enough
> reason. Thanks.
> [09:35] * fede2 departs
> --
> Dan Langille : http://www.langille.org/
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2003-01-26 02:15:53 | Re: What goes into the security doc? |
Previous Message | Dan Langille | 2003-01-24 15:00:52 | Re: What goes into the security doc? |
From | Date | Subject | |
---|---|---|---|
Next Message | Chris Smith | 2003-01-24 16:07:17 | JDBC drivers and streaming content |
Previous Message | Tom Lane | 2003-01-24 15:22:16 | Re: Odd subselect in target list behavior WRT aggregates |