Bug 2224073
| Summary: | postgres system user should use the nologin shell | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Timothée Ravier <travier> |
| Component: | postgresql | Assignee: | Filip Januš <fjanus> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 39 | CC: | anezbeda, anon.amish, awilliam, devrim, fjanus, hhorak, mkulik, osloup, pkubat, praiskup |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-06-17 08:33:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Timothée Ravier
2023-07-19 17:47:47 UTC
https://docs.fedoraproject.org/en-US/quick-docs/postgresql/#user-creation-and-database-creation has the correct sudo command but the gedit one likely won't work anymore / is likely not correct. (In reply to Timothée Ravier from comment #0) > As this will require updating documentations all over the place, changing > this will probably require a Fedora Change to make it more visible. > > See: https://src.fedoraproject.org/rpms/postgresql/pull-request/60 > See: https://src.fedoraproject.org/rpms/postgresql/pull-request/61 I might fail to see the whole story behind these two PRs. From the fact that part of the PR#60 was reverted by PR#61, it seems like there was some important feedback based on the first PR#60 -- what was the issue we saw before the shell was set back to bash? If I remember correctly, this failed on an openQA test. Yes. We have an openQA test that does stuff as postgres in a way that requires it to use a login shell. It would be fairly trivial to amend the test, but the failure made me wonder whether the way openQA did it was common, and as best as I can tell, it is: I found many doc pages and Q&A-site posts, inside and outside the RH ecosystem, recommending stuff like `su postgres -c '<command>'`. In fact, this is what the current version of the official postgresql docs suggest (a detail I didn't spot before): https://www.postgresql.org/docs/current/server-start.html given that, it seemed sensible to suggest reverting the change, rather than "fixing" the test and sending out a postgresql update that might surprisingly break people's habits and examples. This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39. Since even the official PostgreSQL documentation still uses su commands without specifying the shell and depends on the postgresql user having a default shell, changing the postgresql user to use the nologin shell could and would break habits and make tutorials and guides not work on fedora, it is not preferable to switch to the nologin shell by default. Furthermore if we take a look at an specfile made by PostgreSQL itself, they also use /bin/bash as a default shell for postgresql user (L:799) https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/po[%E2%80%A6]-16.spec;h=e8a815b5e314dab5a50ae661b6c807d0bbd1a647;hb=HEAD Since we would like to stay close to upstream and not break tutorials and resources generally available it is currently not possible to use nologin shell by default. |