BUG #19388: Failing to connect to postgres with EACCES error
The following bug has been logged on the website:
Bug reference: 19388
Logged by: George Nugent
Email address: gc.nugent66@gmail.com
PostgreSQL version: 17.7
Operating system: Linux
Description:
Running on k8s pods, I have an issue where a process cannot connect to an
Azure Postgres server due to a permission error.
1782279 1769097264.122469 openat(AT_FDCWD,
"/home/xxxxx/.postgresql/root.crl", O_RDONLY) = -1 EACCES (Permission
denied)
1782279 1769097264.122535 stat("/home/xxxxx/.postgresql/postgresql.crt",
0x7fcdd85a2de0) = -1 EACCES (Permission denied)
We use standard SSL without client certificates and the running process is
setup without a homedir for security reasons.
I noticed from the postgres source code that only ENOENT & ENOTDIR are
allowable errors but EACCES is a fail condition.
I understand the reasoning for checking for existence of certificates, but
can the Permission Denied error also be treated as "Can't get client certs,
continue to try to connect without"?
PG Bug reporting form <noreply@postgresql.org> writes:
Running on k8s pods, I have an issue where a process cannot connect to an
Azure Postgres server due to a permission error.
...
We use standard SSL without client certificates and the running process is
setup without a homedir for security reasons.
I'm pretty skeptical that that is a good idea, but if you are stubborn
about it you could explicitly specify "sslcert=/no/such/file" and so
on in your connection parameters. Another way is to make the HOME
environment variable point at a directory that actually doesn't exist,
rather than one that has access restrictions.
I noticed from the postgres source code that only ENOENT & ENOTDIR are
allowable errors but EACCES is a fail condition.
I understand the reasoning for checking for existence of certificates, but
can the Permission Denied error also be treated as "Can't get client certs,
continue to try to connect without"?
No, I don't think that would be an improvement in user experience
for most people. If your cert isn't working and libpq fails to
tell you why not, debugging that could be pretty unpleasant.
If anything, I'd lean towards removing the special exception for
ENOTDIR ... I wonder why that's there.
regards, tom lane
On Fri, Jan 23, 2026 at 7:35 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
If anything, I'd lean towards removing the special exception for
ENOTDIR ... I wonder why that's there.
I think removing that would take some adjustments to
pqGetHomeDirectory(), so that it actually checks for the existence of
that directory before returning true. `have_homedir` is kind of a
misleading name in this context.
--Jacob
Jacob Champion <jacob.champion@enterprisedb.com> writes:
On Fri, Jan 23, 2026 at 7:35 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
If anything, I'd lean towards removing the special exception for
ENOTDIR ... I wonder why that's there.
I think removing that would take some adjustments to
pqGetHomeDirectory(), so that it actually checks for the existence of
that directory before returning true. `have_homedir` is kind of a
misleading name in this context.
I dug into our git history and traced the appearance of ENOTDIR to
commit 5b40677986984d450a2a16e515fe44d90dfeef02
Author: Magnus Hagander <magnus@hagander.net>
Date: Sat Dec 3 15:02:53 2011 +0100
Treat ENOTDIR as ENOENT when looking for client certificate file
This makes it possible to use a libpq app with home directory set
to /dev/null, for example - treating it the same as if the file
doesn't exist (which it doesn't).
Per bug #6302, reported by Diego Elio Petteno
We could imagine pushing the stat() test into pqGetHomeDirectory,
which might be a more sensible factorization, but I don't think
it'd move the behavior much.
regards, tom lane