Bug 2224073

Summary: postgres system user should use the nologin shell
Product: [Fedora] Fedora Reporter: Timothée Ravier <travier>
Component: postgresqlAssignee: Filip Januš <fjanus>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 39CC: anon.amish, awilliam, devrim, fjanus, hhorak, mkulik, osloup, pkubat, praiskup
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Timothée Ravier 2023-07-19 17:47:47 UTC 
System users should not use valid login shells (here bash) and should only have a nologin shell. Only interactive users should have a login shell.

https://www.freedesktop.org/software/systemd/man/sysusers.d.html#Shell

This is also mandated by some security hardening guides, for example: https://complianceascode.github.io/content-pages/guides/ssg-rhel8-guide-cis_server_l1.html#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts

To run commands under a system, non-interactive, nologin user, one can use:
- `sudo -u postgresql <your_command>` or `sudo -u postgresql bash`. This will preserve the current working directory.
- `sudo su - postgresql -s /bin/bash` to get a "login" shell directly in the system user home directory.

As this will require updating documentations all over the place, changing this will probably require a Fedora Change to make it more visible.

See: https://src.fedoraproject.org/rpms/postgresql/pull-request/60
See: https://src.fedoraproject.org/rpms/postgresql/pull-request/61

Marked as low as this is not a security issue by itself, just a weakness point.

Reproducible: Always
Comment 1 Timothée Ravier 2023-07-19 17:52:48 UTC 
https://docs.fedoraproject.org/en-US/quick-docs/postgresql/#user-creation-and-database-creation has the correct sudo command but the gedit one likely won't work anymore / is likely not correct.
Comment 2 Honza Horak 2023-07-21 14:10:58 UTC 
(In reply to Timothée Ravier from comment #0)
> As this will require updating documentations all over the place, changing
> this will probably require a Fedora Change to make it more visible.
> 
> See: https://src.fedoraproject.org/rpms/postgresql/pull-request/60
> See: https://src.fedoraproject.org/rpms/postgresql/pull-request/61

I might fail to see the whole story behind these two PRs. From the fact that part of the PR#60 was reverted by PR#61, it seems like there was some important feedback based on the first PR#60 -- what was the issue we saw before the shell was set back to bash?
Comment 3 Timothée Ravier 2023-07-25 13:48:49 UTC 
If I remember correctly, this failed on an openQA test.
Comment 4 Adam Williamson 2023-07-25 16:32:48 UTC 
Yes. We have an openQA test that does stuff as postgres in a way that requires it to use a login shell.

It would be fairly trivial to amend the test, but the failure made me wonder whether the way openQA did it was common, and as best as I can tell, it is: I found many doc pages and Q&A-site posts, inside and outside the RH ecosystem, recommending stuff like `su postgres -c '<command>'`. In fact, this is what the current version of the official postgresql docs suggest (a detail I didn't spot before):

https://www.postgresql.org/docs/current/server-start.html

given that, it seemed sensible to suggest reverting the change, rather than "fixing" the test and sending out a postgresql update that might surprisingly break people's habits and examples.
Comment 5 Fedora Release Engineering 2023-08-16 08:15:27 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.