Participants
Peter Eisentraut
Peter Eisentraut
PG Bug reporting form
PG Bug reporting form
Bear Giles
Bear Giles
Attachments
Show all attachments
Thread Outline
#1PG Bug reporting formPG Bug reporting form
Nov 06, 2024
#2Peter EisentrautPeter Eisentrautto PG Bug reporting form (#1)
Nov 11, 2024
#3Bear GilesBear Gilesto Peter Eisentraut (#2)
Nov 12, 2024
#4Peter EisentrautPeter Eisentrautto Bear Giles (#3)
Nov 13, 2024

Improved security for https://www.postgresql.org/docs/current/install-make.html

Started by PG Bug reporting formover 1 year ago4 messagesdocs
Jump to latest
#1PG Bug reporting form
PG Bug reporting form
noreply@postgresql.org

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/17/install-make.html
Description:

The current 'short' version is

```
./configure
make
su
make install
adduser postgres
mkdir -p /usr/local/pgsql/data
chown postgres /usr/local/pgsql/data
su - postgres
/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data
/usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -l logfile start
/usr/local/pgsql/bin/createdb test
/usr/local/pgsql/bin/psql test
```

The security could be improved by limiting the amount of work that is done
as root. (sudo make
install -- shudder!)

First, split `make install` so `make build` gets as far as building the
libraries **under the current directory**, not on location in the start
directory.

Second, verify that `make install` does nothing but create directories and
copy files into them. It can probably also include the tasks currently done
by `make installdir` but the latter might still be required by some external
process. This target should be reviewed by security experts.

The 'short' script can then be rewritten as

```
# work done as a regular user
./configure
make build

# work that requires ROOT access
su
mkdir /usr/local/pgsql/data
chown (current user):(current group) /usr/local/pgsql
adduser --system --group postgres
exit

# work that requires POSTGRES access
su -u postgres
make install installdirs
exit

# work that requires ROOT access
su
adduser --system --group postgres
chown -R postgres:postgres /usr/local/pgsql
exit

# work that requires POSTGRES access
su - postgres
/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data
/usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -l logfile start
/usr/local/pgsql/bin/createdb test
/usr/local/pgsql/bin/psql test
exit
```

#2Peter Eisentraut
Peter Eisentraut
peter_e@gmx.net
In reply to: PG Bug reporting form (#1)
Re: Improved security for https://www.postgresql.org/docs/current/install-make.html

On 06.11.24 22:58, PG Doc comments form wrote:

The 'short' script can then be rewritten as

```
# work done as a regular user
./configure
make build

# work that requires ROOT access
su
mkdir /usr/local/pgsql/data
chown (current user):(current group) /usr/local/pgsql
adduser --system --group postgres
exit

# work that requires POSTGRES access
su -u postgres
make install installdirs
exit

We don't want the installed files to be owned by postgres. That would
mean that a compromised PostgreSQL server (running as "postgres") could
overwrite its own installation files. You don't have to use "root" for
the installation, of course, but it should be separate from "postgres".

#3Bear Giles
Bear Giles
bgiles@coyotesong.com
In reply to: Peter Eisentraut (#2)
Re: Improved security for https://www.postgresql.org/docs/current/install-make.html

You'll want to update the existing page then! :-)

My point was mostly that I did a fresh 'git clone', followed the
instructions, and was immediately hit by a "permission denied" error
because the make script tried to create a directory under /usr/local. It
wasn't clear whether that was the only thing that required root access. The
script I provided was one approach, but it can be greatly simplified if all
that's required is creating the directory and chancing its ownership prior
to running the 'make install'.

(I still think it's a Good Idea to separate compilation and
deployment/'installation but that's a separate issue.)

Bear

On Mon, Nov 11, 2024 at 8:32 AM Peter Eisentraut <peter@eisentraut.org>
wrote:

Show quoted text

On 06.11.24 22:58, PG Doc comments form wrote:

The 'short' script can then be rewritten as

```
# work done as a regular user
./configure
make build

# work that requires ROOT access
su
mkdir /usr/local/pgsql/data
chown (current user):(current group) /usr/local/pgsql
adduser --system --group postgres
exit

# work that requires POSTGRES access
su -u postgres
make install installdirs
exit

We don't want the installed files to be owned by postgres. That would
mean that a compromised PostgreSQL server (running as "postgres") could
overwrite its own installation files. You don't have to use "root" for
the installation, of course, but it should be separate from "postgres".

#4Peter Eisentraut
Peter Eisentraut
peter_e@gmx.net
In reply to: Bear Giles (#3)
Re: Improved security for https://www.postgresql.org/docs/current/install-make.html

On 12.11.24 22:50, Bear Giles wrote:

My point was mostly that I did a fresh 'git clone', followed the
instructions, and was immediately hit by a "permission denied" error
because the make script tried to create a directory under /usr/local. It
wasn't clear whether that was the only thing that required root access.

Please provide a precise description of what steps you did and what the
result or output from each was. This report is not clear enough to be
actionable. As far as I can tell, the existing instructions are sound
for a typical use, so it's not clear where your situation diverged.

← Back to Topics