Re: How to make PostreSQL utilities honor home directories?

From: Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>
To: noloader(at)gmail(dot)com, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Peter J(dot) Holzer" <hjp-pgsql(at)hjp(dot)at>, pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: How to make PostreSQL utilities honor home directories?
Date: 2022-09-02 04:10:44
Message-ID: ea685213-835c-8ffe-c806-69e2062ffdbe@aklaver.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 9/1/22 6:31 PM, Jeffrey Walton wrote:
> On Thu, Sep 1, 2022 at 8:51 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>
>> "Peter J. Holzer" <hjp-pgsql(at)hjp(dot)at> writes:
>>> However, the symlink doesn't seem to be the culprit. If I run
>>> % sudo -u postgres -H /usr/lib/postgresql/13/bin/psql
>>> (which is not a symlink)
>>> I get the same behaviour. So it seems that psql changes to its basedir
>>> and then can't change back again.
>>
>> Ah --- looking closer at that code, it will chdir *before* checking
>> whether the target file is a symlink, which is probably unnecessarily
>> stupid. I'm wondering whether we could drop that logic altogether [1],
>> but that won't help you today.
>>
>> I concur with the other person asking why you want to sudo to postgres
>> at all, though. It's generally safest if the client side isn't running
>> as the same user as the server.
>
> The use case is an install of DefectDojo [2]. I _think_ they are
> taking advantage of the fact that as root, you don't need to
> authenticate because of postgresql's use of domain sockets. (Hat tip
> for that, by the way). The installer code will install packages, setup
> the database, install the DefectDojo programs, etc.

You are not running as root(Postgres won't allow you do this anyway) you
are running as postgres system user and the authentication is handled by
pg_hba.conf. I'm also betting that if you look at pg_hba.conf it is set
up to do peer authentication and hence the need to be postgres system
user. You can obtain a similar result in pg_hba.conf with:

TYPE DATABASE USER ADDRESS METHOD
local all postgres trust

Then you could eliminate the whole sudo dance.

Or set up:

TYPE DATABASE USER ADDRESS METHOD
host postgres all <some_host> scram-
sha-256

if you want password protection.

>
> Jeff
>
>> [1] https://www.postgresql.org/message-id/797232.1662075573%40sss.pgh.pa.us
> [2] https://github.com/DefectDojo/godojo
>
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Meera Nair 2022-09-02 04:41:27 RE: Unable to archive logs in standby server
Previous Message Ken Tanzer 2022-09-02 02:59:24 Re: How to make PostreSQL utilities honor home directories?