System users should not use valid login shells (here bash) and should only have a nologin shell. Only interactive users should have a login shell. https://www.freedesktop.org/software/systemd/man/sysusers.d.html#Shell This is also mandated by some security hardening guides, for example: https://complianceascode.github.io/content-pages/guides/ssg-rhel8-guide-cis_server_l1.html#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts To run commands under a system, non-interactive, nologin user, one can use: - `sudo -u postgresql <your_command>` or `sudo -u postgresql bash`. This will preserve the current working directory. - `sudo su - postgresql -s /bin/bash` to get a "login" shell directly in the system user home directory. As this will require updating documentations all over the place, changing this will probably require a Fedora Change to make it more visible. See: https://src.fedoraproject.org/rpms/postgresql/pull-request/60 See: https://src.fedoraproject.org/rpms/postgresql/pull-request/61 Marked as low as this is not a security issue by itself, just a weakness point. Reproducible: Always
https://docs.fedoraproject.org/en-US/quick-docs/postgresql/#user-creation-and-database-creation has the correct sudo command but the gedit one likely won't work anymore / is likely not correct.
(In reply to Timothée Ravier from comment #0) > As this will require updating documentations all over the place, changing > this will probably require a Fedora Change to make it more visible. > > See: https://src.fedoraproject.org/rpms/postgresql/pull-request/60 > See: https://src.fedoraproject.org/rpms/postgresql/pull-request/61 I might fail to see the whole story behind these two PRs. From the fact that part of the PR#60 was reverted by PR#61, it seems like there was some important feedback based on the first PR#60 -- what was the issue we saw before the shell was set back to bash?
If I remember correctly, this failed on an openQA test.
Yes. We have an openQA test that does stuff as postgres in a way that requires it to use a login shell. It would be fairly trivial to amend the test, but the failure made me wonder whether the way openQA did it was common, and as best as I can tell, it is: I found many doc pages and Q&A-site posts, inside and outside the RH ecosystem, recommending stuff like `su postgres -c '<command>'`. In fact, this is what the current version of the official postgresql docs suggest (a detail I didn't spot before): https://www.postgresql.org/docs/current/server-start.html given that, it seemed sensible to suggest reverting the change, rather than "fixing" the test and sending out a postgresql update that might surprisingly break people's habits and examples.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.
Since even the official PostgreSQL documentation still uses su commands without specifying the shell and depends on the postgresql user having a default shell, changing the postgresql user to use the nologin shell could and would break habits and make tutorials and guides not work on fedora, it is not preferable to switch to the nologin shell by default. Furthermore if we take a look at an specfile made by PostgreSQL itself, they also use /bin/bash as a default shell for postgresql user (L:799) https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/po[%E2%80%A6]-16.spec;h=e8a815b5e314dab5a50ae661b6c807d0bbd1a647;hb=HEAD Since we would like to stay close to upstream and not break tutorials and resources generally available it is currently not possible to use nologin shell by default.