Обсуждение: A question about the permissions
I am trying to monitor replication lag using zabbix. I have written a simple script in ruby to get the lag it goes like this. require 'date' require 'yaml' y = YAML.load `/usr/lib/postgresql/8.3/bin/pg_controldata /var/lib/postgresql/8.3/main` last_checkpoint = DateTime.parse( y['Time of latest checkpoint']) hours, mins, secs, fractions = Date::day_fraction_to_time(DateTime.now - last_checkpoint) puts hours * 60 * 60 + mins * 60 + secs When I try to run this script as the zabbix user (or any user other than postgres or root) I get the error pg_controldata: could not open file "/var/lib/postgresql/8.3/main/global/pg_control" for reading: Permission denied This is because everything under the 8.3 directory is readable by the postgres user only (not group permissions). Is there any harm to giving the postgres group the same rights as the postgres group and adding the zabbix user to the postgres group? What is the rationale for not giving the group any permissions at all? Thanks. BTW I think it's really cool that the output of pg_controldata is a YAML parseable format. I am pretty sure that's by accident but don't change it :)
Tim Uckun <timuckun@gmail.com> writes:
> What is the rationale for not giving the group any permissions at all?
On lots of systems, giving group permissions is nearly as bad as giving
world permissions (eg, all the users might be in a "users" group).
So we don't do it by default. If you want to poke holes in the security
of your own installation, go right ahead.
regards, tom lane
> On lots of systems, giving group permissions is nearly as bad as giving > world permissions (eg, all the users might be in a "users" group). > So we don't do it by default. If you want to poke holes in the security > of your own installation, go right ahead. I decided to see if I could do it without messing with permissions. I modified the script to send the data to the monitoring system itself and ran it from cron as the user postgres. Now I am not getting the number I expected when I run the script. When I run the script from the shell as user postgres I get the lag. When I run the exact same script from cron the number I get is a negative number under 3000. The same thing happens if I run the cron job as root. I suspect this is due to some environment issues. Has anybody ran into an issue like this before?