| Summary: | postgresql-setup does not work with umask 0027 because pg_hba.conf cannot be read by postgres user | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Edgar Hoch <edgar.hoch> | ||||
| Component: | postgresql | Assignee: | Pavel Raiskup <praiskup> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 24 | CC: | devrim, hhorak, jmlich83, jstanek, pkajaba, pkubat, praiskup, tgl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-03-14 07:11:49 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Edgar, indeed, thanks for the patch! Applied upstream: https://github.com/devexp-db/postgresql-setup/commit/8c77c8062dbf1 Edgar, this has been fixed in f26 -- is it OK or should we patch f24+? Fixed in F26+. |
Created attachment 1192149 [details] Patch for postgresql-setup.in to set owner, group and mode of temporary pg_hba.conf Description of problem: /usr/bin/postgresql-setup should set owner, group and mode of pg_hba.conf file it creates to ensure it is readable by user postgres. The script fails im umask is set to not allow read by others. I provide a patch which solves the problem. Details: I tried to upgrade postgresql from 9.4 to 9.5 using /usr/bin/postgresql-setup --upgrade since I have upgraded the postgresql server from Fedora 23 to Fedora 24 (complete new installation using kickstart). postgresql-setup failed with the following message: ERROR: pg_upgrade tool failed ERROR: Upgrade failed. * See /var/lib/pgsql/upgrade_postgresql.log for details. But neither log file tells me the reason, even when called with --debug and setting environment variables as described in postgresql-setup. But I found that the following command has failed: /usr/sbin/runuser -s /bin/sh -l postgres -c '"/usr/lib64/pgsql/postgresql-9.4/bin/pg_ctl" -w -l "pg_upgrade_server.log" -D "/fs/database/postgresql/9.5-old" -o "-p 5432 -b -c listen_addresses='' -c unix_socket_permissions=0700 -c unix_socket_directories='/var/lib/pgsql'" start' Then I have added '-d 2' to the "-o" option in the command above, and then I got an error message that has pointed me to the reason of the failure: /fs/database/postgresql/9.5-old/pg_log/postgresql-Fri.log contains: LOG: could not open configuration file "/fs/database/postgresql/9.5-old/pg_hba.conf": Permission denied FATAL: could not load pg_hba.conf I checked the file: -rw-r-----. 1 root root 25 19. Aug 15:30 /fs/database/postgresql/9.5-old/pg_hba.conf The reason is that /usr/bin/postgresql-setup creates this file but does not set access permissions. I have set umask to 0027 for root as default (because I think root files (for example log files) may contains sensitive information and they should not be readable by everyone without explicit set), and so the file is created without read permission for others than root. Version-Release number of selected component (if applicable): postgresql-9.5.4-1.fc24.x86_64 postgresql-server-9.5.4-1.fc24.x86_64 postgresql-upgrade-9.5.4-1.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. Have a database from postgresql 9.4.x (for example, from Fedora 23). 2. Have postgresql 9.5.x installed (for example, using Fedora 24). See versions and packages listed above. 3. Make a backup of the database files. 4. Try upgrade the database files with umask 0027: ( umask 0027; PGSETUP_DEBUG=1 PGSETUP_PGUPGRADE_OPTIONS='-v' /usr/bin/postgresql-setup --debug --upgrade ) 5. If the command above has modified the database files (for example, if it has succeeded in a patched version of the script), remove them and restore from backup. 6. Try upgrade the database files with umask 0022: ( umask 0027; PGSETUP_DEBUG=1 PGSETUP_PGUPGRADE_OPTIONS='-v' /usr/bin/postgresql-setup --debug --upgrade ) Actual results: Step 4 fails, step 6 succeeds. Expected results: Steps 4 and 6 succeeds.