Обсуждение: unix_socket_group problem
I have a PostgreSQL installation for which I would like to limit local domain socket access to the postgres user and members of the "myadmin" group. I've modified pg_hba.conf to trust local domain socket connections, and changed these settings in postgresql.conf:
unix_socket_group = 'myadmin'
unix_socket_permissions = 0770
Using these settings, attempting to login via psql using different accounts results in the following:
root: connection refused
postgres: connection refused
myadmin: permission denied
When I look at the socket file in /tmp, I see the following:
srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432
I thought by changing postresql.conf the way I have, this should appear as:
srwxrwx--- 1 postgres myadmin 0 Nov 13 10:03 .s.PGSQL.5432
What am I missing? I'm currently running 64-bit PostgreSQL 8.4.1 on Centos 5.4.
Thanks in advance,
Joe
unix_socket_group = 'myadmin'
unix_socket_permissions = 0770
Using these settings, attempting to login via psql using different accounts results in the following:
root: connection refused
postgres: connection refused
myadmin: permission denied
When I look at the socket file in /tmp, I see the following:
srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432
I thought by changing postresql.conf the way I have, this should appear as:
srwxrwx--- 1 postgres myadmin 0 Nov 13 10:03 .s.PGSQL.5432
What am I missing? I'm currently running 64-bit PostgreSQL 8.4.1 on Centos 5.4.
Thanks in advance,
Joe
Joe Miller <joe.d.miller@gmail.com> writes: > I have a PostgreSQL installation for which I would like to limit local > domain socket access to the postgres user and members of the "myadmin" > group. I've modified pg_hba.conf to trust local domain socket connections, > and changed these settings in postgresql.conf: > unix_socket_group = 'myadmin' > unix_socket_permissions = 0770 Looks reasonable. > When I look at the socket file in /tmp, I see the following: > srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432 Huh, did you restart the server? Are you sure you modified the right config file? Those settings obviously didn't "take". regards, tom lane
On Fri, Nov 13, 2009 at 11:47 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Definitely the right file, and I've restarted multiple times. If I set this:Joe Miller <joe.d.miller@gmail.com> writes:Looks reasonable.
> I have a PostgreSQL installation for which I would like to limit local
> domain socket access to the postgres user and members of the "myadmin"
> group. I've modified pg_hba.conf to trust local domain socket connections,
> and changed these settings in postgresql.conf:
> unix_socket_group = 'myadmin'
> unix_socket_permissions = 0770Huh, did you restart the server? Are you sure you modified the right
> When I look at the socket file in /tmp, I see the following:
> srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432
config file? Those settings obviously didn't "take".
#unix_socket_group = ''
unix_socket_permissions = 0770
...everything works as I expect. I have access logged in as either root or postgres, but get "permission denied" if I'm logged in as a myadmin user.
If I set this:
unix_socket_group = 'myadmin'
unix_socket_permissions = 0777
...connection is refused for all accounts. For this config, I'd expect to see the socket owned by the myadmin group, but I should have access from any account, correct?
Joe
Joe Miller <joe.d.miller@gmail.com> writes: > If I set this: > unix_socket_group = 'myadmin' > unix_socket_permissions = 0777 > ...connection is refused for all accounts. Have you checked the postmaster's log to see if it's reporting any problems? I'm wondering if the chown() call is failing. Perhaps postgres isn't a member of myadmin? Some experimentation shows that if we fail to set the requested group or permissions on the socket, the postmaster closes the socket and hence ignores any connection attempts through it, but the socket file is not physically unlinked until postmaster shutdown. So that seems consistent with your results, but there ought to be a complaint about it in the postmaster log. (I'm not sure whether it's worth the trouble, or even a good idea, to unlink earlier in this situation. The presence of the socket file is partially a guard against starting another postmaster on the same port number, which seems like a good thing.) regards, tom lane
On Fri, Nov 13, 2009 at 12:38 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Perhaps postgres isn't a member of myadmin?
That's what I was missing -- thanks Tom.
Joe