Bug 1122143 - Postgresql won't start if user postgres is locked (/sbin/nologin).
Summary: Postgresql won't start if user postgres is locked (/sbin/nologin).
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: postgresql
Version: 7.1
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Petr Kubat
QA Contact: Jakub Prokes
URL:
Whiteboard:
Depends On: 1122118
Blocks: 1305230
TreeView+ depends on / blocked
 
Reported: 2014-07-22 15:56 UTC by Pavel Raiskup
Modified: 2018-12-06 17:25 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1122118
Environment:
Last Closed: 2016-11-03 21:27:49 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2606 normal SHIPPED_LIVE Moderate: postgresql security and bug fix update 2016-11-03 12:13:40 UTC

Description Pavel Raiskup 2014-07-22 15:56:04 UTC
Summary says it all.  Cloning for RHEL7.

+++ This bug was initially created as a clone of Bug #1122118 +++

Resolution:
The workaround is to edit /etc/rc.d/init.d/postgresql, but it only lasts until
the next postgresql upgrade.

Fix, add '-s /bin/bash' to runuser command lines in the /etc/init.d/postgresql
script.

Additional info:

--- Additional comment from Pavel Raiskup on 2014-07-22 17:52:22 CEST ---

(In reply to Andrew Riell from comment #0)
> Description of problem:
> SCAP security guide recommends that all UIDs < 500 (except root) be disabled
> from login by setting their shell to /sbin/nologin.  If you disable the
> postgres user this way, then postgresql will not start via 'service
> postgresql start'

Thanks for reporting this.

> As SCAP gets more integrated into RHEL in 7, and more people start using
> openscap functionality, this will become even more important.  So, even if
> this doesn't get fixed in RHEL 6, it needs to be fixed in RHEL 7.

Well, in RHEL 7 there is a problem only with 'postgresql-setup' and database
initialization (which is usually one-shot command).  The command 'systemctl
start postgresql' (or service postgresql start) itself is not affected.

> Fix, add '-s /bin/bash' to runuser command lines in the
> /etc/init.d/postgresql script.

You seem to be correct here.

Comment 10 errata-xmlrpc 2016-11-03 21:27:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2606.html


Note You need to log in before you can comment on or make changes to this bug.