Bug 242237 - Please change postgresql init scripts so that postgres can have /sbin/nologin as a shell
Please change postgresql init scripts so that postgres can have /sbin/nologin...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: postgresql (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Tom Lane
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-02 11:23 EDT by Bruno Wolff III
Modified: 2015-02-13 15:50 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-02 13:10:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bruno Wolff III 2007-06-02 11:23:35 EDT
Description of problem:
Changing postgres' shell to /sbin/nologin as an extra security backstop breaks
the postgresql init scrip because it uses the -l option to su/runuser.

Version-Release number of selected component (if applicable):
8.2.3-2.fc7

How reproducible:
100%

Steps to Reproduce:
1. chsh -s /sbin/nologin postgres
2. service postgresql restart
3.
  
Actual results:
The command fails.

Expected results:
The command succeeds.

Additional info:
There doesn't seem to be a good reason to do this. I looked at the scripts and
the passed pathnames appeared to be absolute. If the locales are set differently
in postgres' dotfiles than root's or the invocers then this will affect initdb.
But I am not sure that the current behavior is any more expected, then using
root's locale and in the normal case they'll be the same.
Comment 1 Tom Lane 2007-06-02 13:10:02 EDT
Well, in the first place I disagree with not allowing someone to su to postgres --- that's a useful thing to 
do for maintenance/diagnostic purposes.  In the second place, we can't just remove the -l option because 
that installs possibly-important environment settings for the postmaster.  Accordingly, this is not a bug in 
my judgment.
Comment 2 Bruno Wolff III 2007-06-03 14:34:54 EDT
You are correct. I could have sworn that having /sbin/nologin only blocked su -l,
no su without the -l. But after testing it to verify what you said, I withdraw
my request. Sorry about bugging you about this one.

Note You need to log in before you can comment on or make changes to this bug.