New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx, postgresql: give corresponding groups permission to read #46670
Conversation
Success on x86_64-linux (full log) Attempted: nginx, postgresql Partial log (click to expand)
|
Success on x86_64-darwin (full log) Attempted: nginx, postgresql Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: nginx, postgresql Partial log (click to expand)
|
@@ -208,7 +208,7 @@ in | |||
'' | |||
# Create data directory. | |||
if ! test -e ${cfg.dataDir}/PG_VERSION; then | |||
mkdir -m 0700 -p ${cfg.dataDir} | |||
mkdir -m 0750 -p ${cfg.dataDir} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not affect existing systems though. I would also add a chown without recursion below the if block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sadly postgresql doesn't like it: FATAL: data directory "/var/db/postgresql-10.0" has group or world access
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could probably work around with posix acls, but this is not something we can do in general.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
second try on this: #65245
I've worked around the problem of PG with a hack:
They must have fixed this problem in PG11 (https://paquier.xyz/postgresql-2/postgres-11-group-access/) |
Closing this, as |
This is rework of part of NixOS#46670. My usecase was to be able to inspect PG datadir as wheel user. PG11 now allows starting server with 0750 mask for data dir. `groupAccess = true` now does this automatically. The only thing you have to do is to set group ownership. For PG10 and below, I've described a hack how this can be done. Before this PR hack was impossible. The hack isn't ideal, because there is short period of time when dir mode is 0700, so I didn't want to make it official. Test/example is present too.
* nixos/postgresql: support 0750 for data directory This is rework of part of #46670. My usecase was to be able to inspect PG datadir as wheel user. PG11 now allows starting server with 0750 mask for data dir. `groupAccess = true` now does this automatically. The only thing you have to do is to set group ownership. For PG10 and below, I've described a hack how this can be done. Before this PR hack was impossible. The hack isn't ideal, because there is short period of time when dir mode is 0700, so I didn't want to make it official. Test/example is present too. * postgresql: allow changing initidb arguments via module system Closes #18829 + some cleanups * addressed review comments and some fixes * whoops * change groupAccess to tristate, to not force `chmod` on dataDir. Making mask either 0700 or 0750 is too restrictive.. * WIP * let's not support group mode for versions pre-11. The only fix is to change mode to 0700 before start, because otherwise postgresql doesn't start, and error is non-obvious.
The motivation here is that I'd like to add
datadog
user topostgres
andnginx
groups, which would allow datadog to read logs. I was actually the one that added exiting permissions to nginx back in 2013 and postgresql seems to date back to even svn in 2009.