Hello, Giovanni Biscuolo <g...@xelera.eu> ezt írta (időpont: 2019. nov. 13., Sze, 18:38): > > Hello Guix! > > Current postgresql access rules (pg_hba.conf) defaults to (see > [bug#36191] for details on that patch): > > --8<---------------cut here---------------start------------->8--- > local all all peer > host all all 127.0.0.1/32 md5 > host all all ::1/128 md5 > --8<---------------cut here---------------end--------------->8--- > > Peer authentication works by obtaining the (local) client's operating > system user name from the kernel and using it as the allowed database > user name, and is better than "trust" authentication > > To access a database server on localhost for the first time as the user > postgres (the superuser) a person should use: > > --8<---------------cut here---------------start------------->8--- > sudo su postgres -c 'psql' > --8<---------------cut here---------------end--------------->8--- > > AFAIK this is the only method available after database initialization, > with peer authentication > > Since the postgres user currently have a nologin shell (from > gnu/services/databases.scm): > > --8<---------------cut here---------------start------------->8--- > (define %postgresql-accounts > (list (user-group (name "postgres") (system? #t)) > (user-account > (name "postgres") > (group "postgres") > (system? #t) > (comment "PostgreSQL server user") > (home-directory "/var/empty") > (shell (file-append shadow "/sbin/nologin"))))) > --8<---------------cut here---------------end--------------->8--- > > the above command does not work > > As a workaround I changed the postgres user shell to <store>/bin/bash > and I was able to connect > > I do not see any security issue giving a shell to postgres, since it's > password is disabled in /etc/shadow so the only way to access as > postgres is via `sudo su postgres`
I would not mind this change, I think it is ok. However it is easy to work around this with su -s. I usually do that. > > Thougts? > > Thanks, Gio' > > -- > Giovanni Biscuolo > > Xelera IT Infrastructures Best regards, g_bor -- OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21