Bug 2224073 - postgres system user should use the nologin shell
Summary: postgres system user should use the nologin shell
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: postgresql
Version: 39
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Filip Januš
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-19 17:47 UTC by Timothée Ravier
Modified: 2023-08-16 08:15 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Timothée Ravier 2023-07-19 17:47:47 UTC 
System users should not use valid login shells (here bash) and should only have a nologin shell. Only interactive users should have a login shell.

https://www.freedesktop.org/software/systemd/man/sysusers.d.html#Shell

This is also mandated by some security hardening guides, for example: https://complianceascode.github.io/content-pages/guides/ssg-rhel8-guide-cis_server_l1.html#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts

To run commands under a system, non-interactive, nologin user, one can use:
- `sudo -u postgresql <your_command>` or `sudo -u postgresql bash`. This will preserve the current working directory.
- `sudo su - postgresql -s /bin/bash` to get a "login" shell directly in the system user home directory.

As this will require updating documentations all over the place, changing this will probably require a Fedora Change to make it more visible.

See: https://src.fedoraproject.org/rpms/postgresql/pull-request/60
See: https://src.fedoraproject.org/rpms/postgresql/pull-request/61

Marked as low as this is not a security issue by itself, just a weakness point.

Reproducible: Always
Comment 1 Timothée Ravier 2023-07-19 17:52:48 UTC 
https://docs.fedoraproject.org/en-US/quick-docs/postgresql/#user-creation-and-database-creation has the correct sudo command but the gedit one likely won't work anymore / is likely not correct.
Comment 2 Honza Horak 2023-07-21 14:10:58 UTC 
(In reply to Timothée Ravier from comment #0)
> As this will require updating documentations all over the place, changing
> this will probably require a Fedora Change to make it more visible.
> 
> See: https://src.fedoraproject.org/rpms/postgresql/pull-request/60
> See: https://src.fedoraproject.org/rpms/postgresql/pull-request/61

I might fail to see the whole story behind these two PRs. From the fact that part of the PR#60 was reverted by PR#61, it seems like there was some important feedback based on the first PR#60 -- what was the issue we saw before the shell was set back to bash?
Comment 3 Timothée Ravier 2023-07-25 13:48:49 UTC 
If I remember correctly, this failed on an openQA test.
Comment 4 Adam Williamson 2023-07-25 16:32:48 UTC 
Yes. We have an openQA test that does stuff as postgres in a way that requires it to use a login shell.

It would be fairly trivial to amend the test, but the failure made me wonder whether the way openQA did it was common, and as best as I can tell, it is: I found many doc pages and Q&A-site posts, inside and outside the RH ecosystem, recommending stuff like `su postgres -c '<command>'`. In fact, this is what the current version of the official postgresql docs suggest (a detail I didn't spot before):

https://www.postgresql.org/docs/current/server-start.html

given that, it seemed sensible to suggest reverting the change, rather than "fixing" the test and sending out a postgresql update that might surprisingly break people's habits and examples.
Comment 5 Fedora Release Engineering 2023-08-16 08:15:27 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Note You need to log in before you can comment on or make changes to this bug.