Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx, postgresql: give corresponding groups permission to read #46670

Closed
wants to merge 1 commit into from
Closed

nginx, postgresql: give corresponding groups permission to read #46670

wants to merge 1 commit into from

Conversation

domenkozar
Copy link
Member

The motivation here is that I'd like to add datadog user to postgres and nginx groups, which would allow datadog to read logs. I was actually the one that added exiting permissions to nginx back in 2013 and postgresql seems to date back to even svn in 2009.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: nginx, postgresql

Partial log (click to expand)

these paths will be fetched (0.49 MiB download, 1.67 MiB unpacked):
  /nix/store/jp3rakyn55nx9fvmla0lw9hng91kgzmy-nginx-1.14.0
copying path '/nix/store/jp3rakyn55nx9fvmla0lw9hng91kgzmy-nginx-1.14.0' from 'https://cache.nixos.org'...
/nix/store/jp3rakyn55nx9fvmla0lw9hng91kgzmy-nginx-1.14.0
/nix/store/h1hp1rankf5py63qs453bq418mww5hpw-postgresql-9.6.10

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: nginx, postgresql

Partial log (click to expand)

  /nix/store/fxknqfppq6swg512lfyvkl37yq5r9jpp-geoip-1.6.12
  /nix/store/jsqrk045m09i136mgcfjfai8i05nq14c-source
  /nix/store/m3f8bp7qr2k812m5lwcrgmq4p9vhhl6n-nginx-1.14.0
copying path '/nix/store/4w2zbpv9ihl36kbpp6w5d1x33gp5ivfh-source' from 'https://cache.nixos.org'...
copying path '/nix/store/c1d0qwva4ncx3473pl336q3fbjs5qslr-source' from 'https://cache.nixos.org'...
copying path '/nix/store/jsqrk045m09i136mgcfjfai8i05nq14c-source' from 'https://cache.nixos.org'...
copying path '/nix/store/fxknqfppq6swg512lfyvkl37yq5r9jpp-geoip-1.6.12' from 'https://cache.nixos.org'...
copying path '/nix/store/m3f8bp7qr2k812m5lwcrgmq4p9vhhl6n-nginx-1.14.0' from 'https://cache.nixos.org'...
/nix/store/m3f8bp7qr2k812m5lwcrgmq4p9vhhl6n-nginx-1.14.0
/nix/store/4vrb9l7gjha83fshjx2px4djdh5f3g78-postgresql-9.6.10

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: nginx, postgresql

Partial log (click to expand)

  /nix/store/pkai797axp37ywg0ibmfw2pvj1v4r2nm-postgresql-9.6.10
  /nix/store/qfny603fz9fz3zhlhxf9z2v9r0n1hf8k-geoip-1.6.12
copying path '/nix/store/4w2zbpv9ihl36kbpp6w5d1x33gp5ivfh-source' from 'https://cache.nixos.org'...
copying path '/nix/store/c1d0qwva4ncx3473pl336q3fbjs5qslr-source' from 'https://cache.nixos.org'...
copying path '/nix/store/jsqrk045m09i136mgcfjfai8i05nq14c-source' from 'https://cache.nixos.org'...
copying path '/nix/store/qfny603fz9fz3zhlhxf9z2v9r0n1hf8k-geoip-1.6.12' from 'https://cache.nixos.org'...
copying path '/nix/store/pkai797axp37ywg0ibmfw2pvj1v4r2nm-postgresql-9.6.10' from 'https://cache.nixos.org'...
copying path '/nix/store/35z7kah7qa1gi8s8wfj63xyzk94ys6sf-nginx-1.14.0' from 'https://cache.nixos.org'...
/nix/store/35z7kah7qa1gi8s8wfj63xyzk94ys6sf-nginx-1.14.0
/nix/store/pkai797axp37ywg0ibmfw2pvj1v4r2nm-postgresql-9.6.10

Mic92
Mic92 reviewed Sep 14, 2018
View reviewed changes
nixos/modules/services/databases/postgresql.nix
@@ -208,7 +208,7 @@ in
''
# Create data directory.
if ! test -e ${cfg.dataDir}/PG_VERSION; then
mkdir -m 0700 -p ${cfg.dataDir}
mkdir -m 0750 -p ${cfg.dataDir}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not affect existing systems though. I would also add a chown without recursion below the if block.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sadly postgresql doesn't like it: FATAL: data directory "/var/db/postgresql-10.0" has group or world access

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could probably work around with posix acls, but this is not something we can do in general.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

second try on this: #65245

@danbst
Copy link
Contributor

danbst commented Jan 17, 2019

I've worked around the problem of PG with a hack:

      systemd.services.postgresql.script = lib.mkForce ''
         ...
         ${initConfigScript}
         chmod 700 ${cfg.dataDir}
         exec postgres
      '';
      systemd.services.postgresql.postStart = lib.mkAfter ''
          chmod 750 -R ${cfg.dataDir}
      '';

They must have fixed this problem in PG11 (https://paquier.xyz/postgresql-2/postgres-11-group-access/)

@danbst danbst mentioned this pull request Jul 22, 2019
Merged
@danbst
Copy link
Contributor

danbst commented Jul 22, 2019

Closing this, as nginx 0750 is now possible to implement with services.nginx.preStart and PG 0750 moved to #65245

@danbst danbst closed this Jul 22, 2019
danbst added a commit to danbst/nixpkgs that referenced this pull request Jul 23, 2019
@danbst
nixos/postgresql: support 0750 for data directory
92a015d 
This is rework of part of NixOS#46670.
My usecase was to be able to inspect PG datadir as wheel user.

PG11 now allows starting server with 0750 mask for data dir.
`groupAccess = true` now does this automatically. The only thing you have to do
is to set group ownership.

For PG10 and below, I've described a hack how this can be done. Before this PR
hack was impossible. The hack isn't ideal, because there is short
period of time when dir mode is 0700, so I didn't want to make it official.

Test/example is present too.
danbst added a commit that referenced this pull request Feb 14, 2020
@danbst
nixos/postgresql: support 0750 for data directory (#65245)
5443eee 
* nixos/postgresql: support 0750 for data directory

This is rework of part of #46670.
My usecase was to be able to inspect PG datadir as wheel user.

PG11 now allows starting server with 0750 mask for data dir.
`groupAccess = true` now does this automatically. The only thing you have to do
is to set group ownership.

For PG10 and below, I've described a hack how this can be done. Before this PR
hack was impossible. The hack isn't ideal, because there is short
period of time when dir mode is 0700, so I didn't want to make it official.

Test/example is present too.

* postgresql: allow changing initidb arguments via module system

Closes #18829

+ some cleanups

* addressed review comments and some fixes

* whoops

* change groupAccess to tristate, to not force `chmod` on dataDir.

Making mask either 0700 or 0750 is too restrictive..

* WIP

* let's not support group mode for versions pre-11.

The only fix is to change mode to 0700 before start, because otherwise postgresql
doesn't start, and error is non-obvious.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@danbst danbst danbst left review comments

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@domenkozar @GrahamcOfBorg @danbst @Mic92