Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Permission clarification for "/var/run/postgresql"

  1. #1

    Question Permission clarification for "/var/run/postgresql"

    I would like to try application development out with the software "PostgreSQL 9.3.5-3.1". But I stumble on the following setting.
    Code:
    elfring@Sonne:~> ls -l -d /var/run/postgresql
    drwxr-xr-x 2 postgres postgres 40 22. Jan 12:47 /var/run/postgresql
    Why is the write permission missing for this group by default?
    How should group members use personal database instances without it?

    I hope that manual right additions should not be needed here.

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,270

    Default Re: Permission clarification for "/var/run/postgresql"

    I do not know much about PostgreSQL, but as long as nobody with more knowledge tunes in, just my two cents (to keep you busy reading ).

    You apparently think that members of the group postgres should be able to write there. Are there any more memebers then the user postgres in that group.? And when yes, are they created by the installation of postgres or did you make user(s) member of that group? And when the last, is that based on some manual documentation?

    I ask this, because to me it looks strange that the installation would not do this correct. I know you think that also, but your conclusion is that that is wrong, while my conclusion is that it is correct and that you are walking the wrong path.

    My idea is backed by the fact that it is in /var/run, which is (at least in my 13.1, but why should it be different in 13.2) is mounted as tmpfs. Which means that all in there is lost at system shutdown. So it is a vulnarable place.

    As said, no PostgreSQL knowledge used here.
    Henk van Velden

  3. #3
    Join Date
    Oct 2011
    Location
    Germany (Ore Mountains)
    Posts
    428

    Default Re: Permission clarification for "/var/run/postgresql"

    These permissions are controlled by a file named: /usr/lib/tmpfiles.d/postgresql93.conf

    content:
    Code:
    # For the PostgreSQL server's unix domain socket
    d /var/run/postgresql 0755 postgres postgres -
    I am not sure, why the packager made this decision, but I can imagine, that it has security implications.

    What do you mean with "personal database instance" ?
    Something like the mysql instance used my akonadi for the KDE-PIM suite? It uses a directory structure under your home directory (~/.local/share/akonadi/).
    Or publicly accessible postgres instances owned by different users? Then you need to change the permissions in /usr/lib/tmpfiles.d/postgresql93.conf.

    Hendrik

  4. #4

    Wink Re: Permission clarification for "/var/run/postgresql"

    Quote Originally Posted by hendwolt View Post
    These permissions are controlled by a file named: /usr/lib/tmpfiles.d/postgresql93.conf
    Will it make sense to update this configuration file for the software package "postgresql??-server"?

    What do you mean with "personal database instance" ?
    Every member of a system group like "postgres" should be able to start their own databases by default.
    They should not need to depend on a corresponding software start as a system service.

    Something like the mysql instance used my akonadi for the KDE-PIM suite?
    Such an use case might be similar.

    Or publicly accessible postgres instances owned by different users?
    This use case is also interesting, isn't it?

  5. #5
    Join Date
    Oct 2011
    Location
    Germany (Ore Mountains)
    Posts
    428

    Default Re: Permission clarification for "/var/run/postgresql"

    Quote Originally Posted by elfring View Post
    Will it make sense to update this configuration file for the software package "postgresql??-server"?
    No. As with every other systemd config file put a copy into the corresponding etc-directory ( /etc/tmpfiles.d ) and change the copy.

    - akonadi use case: Put the whole postgresql database (data directory, config, socket, ... everything) in a directory under the users home directory. No permission problems there.
    - public databases: change the copy of postgresql93.conf

    Be aware that you need to configure the connectivity of multiple database instances on one machine to use different ports/ip addresses/sockets. Otherwise you get conflicts and inaccessible servers.

    Hendrik

  6. #6

    Question Re: Permission clarification for "/var/run/postgresql"

    Quote Originally Posted by hendwolt View Post
    I am not sure, why the packager made this decision, but I can imagine, that it has security implications.
    How do you think about to take another look at a file like "/usr/lib/tmpfiles.d/postgresql.conf"?

    Would you like to discuss a recent change by Reinhard Max like the following any further?
    Code:
    Log entry:
    Change the permissions and ownership of /var/run/postgresql to match those
    of /tmp (the traditional location of PostgreSQL's unix domain sockets
    and lock files), so that users other than "postgres" are able to start
    their own database instances.

  7. #7
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,761

    Default Re: Permission clarification for "/var/run/postgresql"

    Sounds like you need to discuss this with Rienhard Max not us plain old users here. I'm sure there is a Mail list some where that you can join and discuss such things with the developers.

  8. #8

    Question Re: Permission clarification for "/var/run/postgresql"

    Quote Originally Posted by gogalthorp View Post
    … not us plain old users here.
    Did you stumble on a need to fiddle with your own database instances?

  9. #9
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,761

    Default Re: Permission clarification for "/var/run/postgresql"

    Seems like a question only the developers can answer. And no I don't fiddle with them

  10. #10
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,394
    Blog Entries
    2

    Default Re: Permission clarification for "/var/run/postgresql"

    Quote Originally Posted by elfring View Post
    I would like to try application development out with the software "PostgreSQL 9.3.5-3.1". But I stumble on the following setting.
    Code:
    elfring@Sonne:~> ls -l -d /var/run/postgresql
    drwxr-xr-x 2 postgres postgres 40 22. Jan 12:47 /var/run/postgresql
    Why is the write permission missing for this group by default?
    How should group members use personal database instances without it?

    I hope that manual right additions should not be needed here.
    I don't understand what your comment and observation... and especially what the error is supposed to be.

    Judging from the other comments in this thread,
    Do you think you are somehow supposed to edit this file directly?

    That wouldn't be true of <any> runtime database files unless... only <maybe> sqlite which is unique in that the data is stored in a flat file instead of a non-ASCII type file.

    Database apps in general are applications which control and manage the way data is imported, exported and stored in a file and it is because of this that data relationships are defined and stored. The data is also likely stored in a proprietary non-ascii format for performance and size/storage reasons (typically some compression for things like whitespace might be implemented).

    Because data is stored in a proprietary way, the only way you should be able to access the data is through the application itself. This is why a database application typically "owns" all of its own running processes and the files it uses and accesses. Typically, the database application management will have its own built in security to manage User access, so you'll often find that special database users need to be set up that aren't associated with anything else, or you might find the database user management integrated with non-database security. With Postresql and MySQL for example, they will have their own database app root accounts which are not the same as the system root user account (although you can configure both to have same credentials).

    So, if for example when you wish to insert some data into something like Postgresql or MySQL, you can't just open up a file and copy some data into it, you need to use special database commands to first create a table with its specified structures, then use a database command to import data corresponding to the structure. The database application will proxy your User credentials to grant you permission to do these things without actually granting you those permissions directly.

    The above applies to almost all major relational and non-relational databases, with the notable exception of SQLite and "flat" databases like spreadsheets which are usually not so complex or sophisticated.

    So,
    You need to describe exactly what you are trying to do to properly answer whether you've found an error or if you're trying to do something forbidden.

    TSU

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •