Bug 1122143

Summary: Postgresql won't start if user postgres is locked (/sbin/nologin).
Product: Red Hat Enterprise Linux 7 Reporter: Pavel Raiskup <praiskup>
Component: postgresqlAssignee: Petr Kubat <pkubat>
Status: CLOSED ERRATA QA Contact: Jakub Prokes <jprokes>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.1CC: databases-maint, hhorak, jprokes, jscotka, ktoyama, ovasik, qe-baseos-daemons
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1122118 Environment:
Last Closed: 2016-11-03 21:27:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1122118    
Bug Blocks: 1305230    

Description Pavel Raiskup 2014-07-22 15:56:04 UTC 
Summary says it all.  Cloning for RHEL7.

+++ This bug was initially created as a clone of Bug #1122118 +++

Resolution:
The workaround is to edit /etc/rc.d/init.d/postgresql, but it only lasts until
the next postgresql upgrade.

Fix, add '-s /bin/bash' to runuser command lines in the /etc/init.d/postgresql
script.

Additional info:

--- Additional comment from Pavel Raiskup on 2014-07-22 17:52:22 CEST ---

(In reply to Andrew Riell from comment #0)
> Description of problem:
> SCAP security guide recommends that all UIDs < 500 (except root) be disabled
> from login by setting their shell to /sbin/nologin.  If you disable the
> postgres user this way, then postgresql will not start via 'service
> postgresql start'

Thanks for reporting this.

> As SCAP gets more integrated into RHEL in 7, and more people start using
> openscap functionality, this will become even more important.  So, even if
> this doesn't get fixed in RHEL 6, it needs to be fixed in RHEL 7.

Well, in RHEL 7 there is a problem only with 'postgresql-setup' and database
initialization (which is usually one-shot command).  The command 'systemctl
start postgresql' (or service postgresql start) itself is not affected.

> Fix, add '-s /bin/bash' to runuser command lines in the
> /etc/init.d/postgresql script.

You seem to be correct here.
Comment 10 errata-xmlrpc 2016-11-03 21:27:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2606.html