heads up -- subtle change of behavior of new initdb
I just noticed tonight that the new initdb introduced a subtle change of
behavior. I use a shell script to automate the process of
- rm old data directory
- mkdir new data directory
- initdb
- load from pgdumpall
Now, that second step is not needed, but as of today it produces an
installation that won't start due to improper permissions on data
Thought it was worth mentioning, or possibly reinstating old behavior.
Joe
Joe Conway <mail@joeconway.com> writes:
I just noticed tonight that the new initdb introduced a subtle change of
behavior. I use a shell script to automate the process of
- rm old data directory
- mkdir new data directory
- initdb
- load from pgdumpall
Now, that second step is not needed, but as of today it produces an
installation that won't start due to improper permissions on data
That's a bug --- evidently the "fix permissions" path of control is
wrong; can you take a look?
regards, tom lane
Tom Lane wrote:
Joe Conway <mail@joeconway.com> writes:
Now, that second step is not needed, but as of today it produces an
installation that won't start due to improper permissions on dataThat's a bug --- evidently the "fix permissions" path of control is
wrong; can you take a look?
Here's a small patch. I think this is all that's needed.
Joe
Attachments:
initdb-fix.patchtext/plain; name=initdb-fix.patchDownload
Index: src/bin/initdb/initdb.c
===================================================================
RCS file: /opt/src/cvs/pgsql-server/src/bin/initdb/initdb.c,v
retrieving revision 1.7
diff -c -r1.7 initdb.c
*** src/bin/initdb/initdb.c 13 Nov 2003 23:46:31 -0000 1.7
--- src/bin/initdb/initdb.c 14 Nov 2003 07:46:22 -0000
***************
*** 2345,2350 ****
--- 2345,2353 ----
made_new_pgdata = true;
}
+ else
+ /* already exists, but make sure permissions are correct */
+ chmod(pg_data, 0700);
/* Create required subdirectories */
darnit!
patch attached.
(Thinks - do we need to worry about suid sgid and sticky bits on data dir?)
andrew
Tom Lane wrote:
Show quoted text
Joe Conway <mail@joeconway.com> writes:
I just noticed tonight that the new initdb introduced a subtle change of
behavior. I use a shell script to automate the process of
- rm old data directory
- mkdir new data directory
- initdb
- load from pgdumpall
Now, that second step is not needed, but as of today it produces an
installation that won't start due to improper permissions on dataThat's a bug --- evidently the "fix permissions" path of control is
wrong; can you take a look?
Attachments:
initdb.c.permpatchtext/plain; name=initdb.c.permpatchDownload
? .deps
? initdb
Index: initdb.c
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/bin/initdb/initdb.c,v
retrieving revision 1.7
diff -c -w -r1.7 initdb.c
*** initdb.c 13 Nov 2003 23:46:31 -0000 1.7
--- initdb.c 14 Nov 2003 06:47:50 -0000
***************
*** 2345,2350 ****
--- 2345,2359 ----
made_new_pgdata = true;
}
+ else
+ {
+ printf("fixing permissions on existing directory %s... ",pg_data);
+ fflush(stdout);
+ if (!chmod(pg_data,0700))
+ exit_nicely();
+ else
+ check_ok();
+ }
/* Create required subdirectories */
+ if (!chmod(pg_data,0700))
Out of curiosity, what was the rationale for using 0700? I know it was a pain
for me when I had a script to monitor the tmp usage. Surely read access to
privileged users isn't really a problem? I'm thinking more of loosening the
paranoia check elsewhere rather than this default.
Wouldn't at least 0750 be safe? That way putting a user in the postgres group
would grant him access to be able to browse around and read the files in
pg_data.
Actually I should think 02750 would be better so that the group is inherited
by subdirectories.
--
greg
Greg Stark writes:
Wouldn't at least 0750 be safe? That way putting a user in the postgres group
would grant him access to be able to browse around and read the files in
pg_data.
That assumes that there is a restricted postgres group, which is not
guaranteed.
--
Peter Eisentraut peter_e@gmx.net
The shell script said this:
$ECHO_N "fixing permissions on existing directory $PGDATA...
"$ECHO_C
chmod go-rwx "$PGDATA" || exit_nicely
There's no more rationale than that for this patch.
I'm inclined to agree with you, though.
cheers
andrew
Greg Stark wrote:
Show quoted text
+ if (!chmod(pg_data,0700))
Out of curiosity, what was the rationale for using 0700? I know it was a pain
for me when I had a script to monitor the tmp usage. Surely read access to
privileged users isn't really a problem? I'm thinking more of loosening the
paranoia check elsewhere rather than this default.Wouldn't at least 0750 be safe? That way putting a user in the postgres group
would grant him access to be able to browse around and read the files in
pg_data.Actually I should think 02750 would be better so that the group is inherited
by subdirectories.
Peter Eisentraut <peter_e@gmx.net> writes:
Greg Stark writes:
Wouldn't at least 0750 be safe? That way putting a user in the postgres group
would grant him access to be able to browse around and read the files in
pg_data.That assumes that there is a restricted postgres group, which is not
guaranteed.
Well the current setup assumes the admin hasn't leaked the root password too.
I'm not suggesting making that the default setup, just loosening the paranoia
check so that if an admin sets the directory to be group readable the database
doesn't refuse to start up.
--
greg
Greg Stark <gsstark@mit.edu> writes:
I'm not suggesting making that the default setup, just loosening the
paranoia check so that if an admin sets the directory to be group
readable the database doesn't refuse to start up.
In previous discussions of this point, paranoia was considered desirable.
I don't think the situation has changed.
regards, tom lane
Andrew Dunstan <andrew@dunslane.net> writes:
darnit!
patch attached.
Applied with correction (you got the return-value check backwards)
and further work to deal reasonably with error conditions occurring
in check_data_dir.
regards, tom lane
Tom Lane wrote:
Greg Stark <gsstark@mit.edu> writes:
I'm not suggesting making that the default setup, just loosening the
paranoia check so that if an admin sets the directory to be group
readable the database doesn't refuse to start up.In previous discussions of this point, paranoia was considered desirable.
I don't think the situation has changed.
Would it be worth having a command line option to relax the paranoia a
bit, leaving the current paranoia setting as the default? I guess it
would have to be on the command line because IIRC this is checked before
we ever look at the config file.
cheers
andrew
Patch applied. Thanks.
---------------------------------------------------------------------------
Andrew Dunstan wrote:
darnit!
patch attached.
(Thinks - do we need to worry about suid sgid and sticky bits on data dir?)
andrew
Tom Lane wrote:
Joe Conway <mail@joeconway.com> writes:
I just noticed tonight that the new initdb introduced a subtle change of
behavior. I use a shell script to automate the process of
- rm old data directory
- mkdir new data directory
- initdb
- load from pgdumpall
Now, that second step is not needed, but as of today it produces an
installation that won't start due to improper permissions on dataThat's a bug --- evidently the "fix permissions" path of control is
wrong; can you take a look?
? .deps ? initdb Index: initdb.c =================================================================== RCS file: /projects/cvsroot/pgsql-server/src/bin/initdb/initdb.c,v retrieving revision 1.7 diff -c -w -r1.7 initdb.c *** initdb.c 13 Nov 2003 23:46:31 -0000 1.7 --- initdb.c 14 Nov 2003 06:47:50 -0000 *************** *** 2345,2350 **** --- 2345,2359 ----made_new_pgdata = true; } + else + { + printf("fixing permissions on existing directory %s... ",pg_data); + fflush(stdout); + if (!chmod(pg_data,0700)) + exit_nicely(); + else + check_ok(); + }/* Create required subdirectories */
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Tom Lane wrote:
Andrew Dunstan <andrew@dunslane.net> writes:
darnit!
patch attached.Applied with correction (you got the return-value check backwards)
and further work to deal reasonably with error conditions occurring
in check_data_dir.
Tom applied it before I could.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Tom Lane wrote:
Andrew Dunstan <andrew@dunslane.net> writes:
darnit!
patch attached.Applied with correction (you got the return-value check backwards)
and further work to deal reasonably with error conditions occurring
in check_data_dir.
darnit again.
I'm taking a break - my head is swimming with Java, JavaScript, Perl,
HTML and XML/XSL from my real (i.e. paying) work, and context switching
is causing massive mental thrashing.
cheers
andrew