Обсуждение: unix_socket_group problem

I have a PostgreSQL installation for which I would like to limit local domain socket access to the postgres user and members of the "myadmin" group. I've modified pg_hba.conf to trust local domain socket connections, and changed these settings in postgresql.conf:

unix_socket_group = 'myadmin'
unix_socket_permissions = 0770

Using these settings, attempting to login via psql using different accounts results in the following:

root:   connection refused
postgres: connection refused
myadmin: permission denied

When I look at the socket file in /tmp, I see the following:

srwx------  1 postgres postgres    0 Nov 13 10:03 .s.PGSQL.5432

I thought by changing postresql.conf the way I have, this should appear as:

srwxrwx---  1 postgres myadmin    0 Nov 13 10:03 .s.PGSQL.5432

What am I missing?  I'm currently running 64-bit PostgreSQL 8.4.1 on Centos 5.4.

Thanks in advance,

Joe

Joe Miller <joe.d.miller@gmail.com> writes:
> I have a PostgreSQL installation for which I would like to limit local
> domain socket access to the postgres user and members of the "myadmin"
> group. I've modified pg_hba.conf to trust local domain socket connections,
> and changed these settings in postgresql.conf:
> unix_socket_group = 'myadmin'
> unix_socket_permissions = 0770

Looks reasonable.

> When I look at the socket file in /tmp, I see the following:
> srwx------  1 postgres postgres    0 Nov 13 10:03 .s.PGSQL.5432

Huh, did you restart the server?  Are you sure you modified the right
config file?  Those settings obviously didn't "take".

            regards, tom lane

Definitely the right file, and I've restarted multiple times. If I set this:

#unix_socket_group = ''
unix_socket_permissions = 0770

...everything works as I expect. I have access logged in as either root or postgres, but get "permission denied" if I'm logged in as a myadmin user.

If I set this:

unix_socket_group = 'myadmin'
unix_socket_permissions = 0777

...connection is refused for all accounts.  For this config, I'd expect to see the socket owned by the myadmin group, but I should have access from any account, correct?


Joe

Joe Miller <joe.d.miller@gmail.com> writes:
> If I set this:

> unix_socket_group = 'myadmin'
> unix_socket_permissions = 0777

> ...connection is refused for all accounts.

Have you checked the postmaster's log to see if it's reporting any
problems?  I'm wondering if the chown() call is failing.  Perhaps
postgres isn't a member of myadmin?

Some experimentation shows that if we fail to set the requested group or
permissions on the socket, the postmaster closes the socket and hence
ignores any connection attempts through it, but the socket file is not
physically unlinked until postmaster shutdown.  So that seems consistent
with your results, but there ought to be a complaint about it in the
postmaster log.

(I'm not sure whether it's worth the trouble, or even a good idea,
to unlink earlier in this situation.  The presence of the socket file
is partially a guard against starting another postmaster on the same
port number, which seems like a good thing.)

            regards, tom lane

That's what I was missing -- thanks Tom.

Joe