On 9/1/22 6:31 PM, Jeffrey Walton wrote:
On Thu, Sep 1, 2022 at 8:51 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
"Peter J. Holzer" <hjp-pgsql@xxxxxx> writes:
However, the symlink doesn't seem to be the culprit. If I run
% sudo -u postgres -H /usr/lib/postgresql/13/bin/psql
(which is not a symlink)
I get the same behaviour. So it seems that psql changes to its basedir
and then can't change back again.
Ah --- looking closer at that code, it will chdir *before* checking
whether the target file is a symlink, which is probably unnecessarily
stupid. I'm wondering whether we could drop that logic altogether [1],
but that won't help you today.
I concur with the other person asking why you want to sudo to postgres
at all, though. It's generally safest if the client side isn't running
as the same user as the server.
The use case is an install of DefectDojo [2]. I _think_ they are
taking advantage of the fact that as root, you don't need to
authenticate because of postgresql's use of domain sockets. (Hat tip
for that, by the way). The installer code will install packages, setup
the database, install the DefectDojo programs, etc.
You are not running as root(Postgres won't allow you do this anyway) you
are running as postgres system user and the authentication is handled by
pg_hba.conf. I'm also betting that if you look at pg_hba.conf it is set
up to do peer authentication and hence the need to be postgres system
user. You can obtain a similar result in pg_hba.conf with:
TYPE DATABASE USER ADDRESS METHOD
local all postgres trust
Then you could eliminate the whole sudo dance.
Or set up:
TYPE DATABASE USER ADDRESS METHOD
host postgres all <some_host> scram-
sha-256
if you want password protection.
Jeff
[1] https://www.postgresql.org/message-id/797232.1662075573%40sss.pgh.pa.us
[2] https://github.com/DefectDojo/godojo
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
