--001485e9aa08479b800478429498
Content-Type: text/plain; charset=ISO-8859-1

I have a PostgreSQL installation for which I would like to limit local
domain socket access to the postgres user and members of the "myadmin"
group. I've modified pg_hba.conf to trust local domain socket connections,
and changed these settings in postgresql.conf:

unix_socket_group = 'myadmin'
unix_socket_permissions = 0770

Using these settings, attempting to login via psql using different accounts
results in the following:

root: connection refused
postgres: connection refused
myadmin: permission denied

When I look at the socket file in /tmp, I see the following:

srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432

I thought by changing postresql.conf the way I have, this should appear as:

srwxrwx--- 1 postgres myadmin 0 Nov 13 10:03 .s.PGSQL.5432

What am I missing? I'm currently running 64-bit PostgreSQL 8.4.1 on Centos
5.4.

Thanks in advance,

Joe

--001485e9aa08479b800478429498
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I have a PostgreSQL installation for which I would like to limit local doma=
in socket access to the postgres user and members of the "myadmin"=
; group. I've modified pg_hba.conf to trust local domain socket connect=
ions, and changed these settings in postgresql.conf:<br>
<br>unix_socket_group =3D 'myadmin'<br>unix_socket_permissions =3D =
0770<br><br>Using these settings, attempting to login via psql using differ=
ent accounts results in the following:<br><br>root:=A0=A0 connection refuse=
d<br>
postgres: connection refused<br>myadmin: permission denied<br><br>When I lo=
ok at the socket file in /tmp, I see the following:<br><br>srwx------=A0 1 =
postgres postgres=A0=A0=A0 0 Nov 13 10:03 .s.PGSQL.5432<br><br>I thought by=
changing postresql.conf the way I have, this should appear as:<br>
<br>srwxrwx---=A0 1 postgres myadmin =A0=A0 0 Nov 13 10:03 .s.PGSQL.5432<br=
><br>What am I missing?=A0 I'm currently running 64-bit PostgreSQL 8.4.=
1 on Centos 5.4.<br><br>Thanks in advance,<br><br>Joe<br>

--001485e9aa08479b800478429498--

Joe Miller <joe.d.miller [at] gmail.com> writes:
> I have a PostgreSQL installation for which I would like to limit local
> domain socket access to the postgres user and members of the "myadmin"
> group. I've modified pg_hba.conf to trust local domain socket connections,
> and changed these settings in postgresql.conf:
> unix_socket_group = 'myadmin'
> unix_socket_permissions = 0770

Looks reasonable.

> When I look at the socket file in /tmp, I see the following:
> srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432

Huh, did you restart the server? Are you sure you modified the right
config file? Those settings obviously didn't "take".

regards, tom lane

--
Sent via pgsql-admin mailing list (pgsql-admin [at] postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

--00504501634b87d7c2047843b68e
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Nov 13, 2009 at 11:47 AM, Tom Lane <tgl [at] sss.pgh.pa.us> wrote:

> Joe Miller <joe.d.miller [at] gmail.com> writes:
> > I have a PostgreSQL installation for which I would like to limit local
> > domain socket access to the postgres user and members of the "myadmin"
> > group. I've modified pg_hba.conf to trust local domain socket
> connections,
> > and changed these settings in postgresql.conf:
> > unix_socket_group = 'myadmin'
> > unix_socket_permissions = 0770
>
> Looks reasonable.
>
> > When I look at the socket file in /tmp, I see the following:
> > srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432
>
> Huh, did you restart the server? Are you sure you modified the right
> config file? Those settings obviously didn't "take".
>
> Definitely the right file, and I've restarted multiple times. If I set
this:

#unix_socket_group = ''
unix_socket_permissions = 0770

....everything works as I expect. I have access logged in as either root or
postgres, but get "permission denied" if I'm logged in as a myadmin user.

If I set this:

unix_socket_group = 'myadmin'
unix_socket_permissions = 0777

....connection is refused for all accounts. For this config, I'd expect to
see the socket owned by the myadmin group, but I should have access from any
account, correct?


Joe

--00504501634b87d7c2047843b68e
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<br><br><div class=3D"gmail_quote">On Fri, Nov 13, 2009 at 11:47 AM, Tom La=
ne <span dir=3D"ltr"><<a href=3D"mailto:tgl [at] sss.pgh.pa.us">tgl [at] sss.pgh.p=
a.us</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"bo=
rder-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding=
-left: 1ex;">
<div class=3D"im">Joe Miller <<a href=3D"mailto:joe.d.miller [at] gmail.com">=
joe.d.miller [at] gmail.com</a>> writes:<br>
> I have a PostgreSQL installation for which I would like to limit local=
<br>
> domain socket access to the postgres user and members of the "mya=
dmin"<br>
> group. I've modified pg_hba.conf to trust local domain socket conn=
ections,<br>
> and changed these settings in postgresql.conf:<br>
> unix_socket_group =3D 'myadmin'<br>
> unix_socket_permissions =3D 0770<br>
<br>
</div>Looks reasonable.<br>
<div class=3D"im"><br>
> When I look at the socket file in /tmp, I see the following:<br>
> srwx------ =A01 postgres postgres =A0 =A00 Nov 13 10:03 .s.PGSQL.5432<=
br>
<br>
</div>Huh, did you restart the server? =A0Are you sure you modified the rig=
ht<br>
config file? =A0Those settings obviously didn't "take".<br>
<br>
</blockquote></div>Definitely the right file, and I've restarted multip=
le times. If I set this:<br><br>#unix_socket_group =3D ''<br>unix_s=
ocket_permissions =3D 0770<br><br>...everything works as I expect. I have a=
ccess logged in as either root or postgres, but get "permission denied=
" if I'm logged in as a myadmin user.<br>
<br>If I set this:<br><br>unix_socket_group =3D 'myadmin'<br>unix_s=
ocket_permissions =3D 0777<br><br>...connection is refused for all accounts=
..=A0 For this config, I'd expect to see the socket owned by the myadmin=
group, but I should have access from any account, correct?<br>
<br><br>Joe<br><br>

--00504501634b87d7c2047843b68e--

Joe Miller <joe.d.miller [at] gmail.com> writes:
> If I set this:

> unix_socket_group = 'myadmin'
> unix_socket_permissions = 0777

> ...connection is refused for all accounts.

Have you checked the postmaster's log to see if it's reporting any
problems? I'm wondering if the chown() call is failing. Perhaps
postgres isn't a member of myadmin?

Some experimentation shows that if we fail to set the requested group or
permissions on the socket, the postmaster closes the socket and hence
ignores any connection attempts through it, but the socket file is not
physically unlinked until postmaster shutdown. So that seems consistent
with your results, but there ought to be a complaint about it in the
postmaster log.

(I'm not sure whether it's worth the trouble, or even a good idea,
to unlink earlier in this situation. The presence of the socket file
is partially a guard against starting another postmaster on the same
port number, which seems like a good thing.)

regards, tom lane

--
Sent via pgsql-admin mailing list (pgsql-admin [at] postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

--005045015db29ac60b04784468a7
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Nov 13, 2009 at 12:38 PM, Tom Lane <tgl [at] sss.pgh.pa.us> wrote:

>
> Perhaps postgres isn't a member of myadmin?
>
>
That's what I was missing -- thanks Tom.

Joe

--005045015db29ac60b04784468a7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<br><br><div class=3D"gmail_quote">On Fri, Nov 13, 2009 at 12:38 PM, Tom La=
ne <span dir=3D"ltr"><<a href=3D"mailto:tgl [at] sss.pgh.pa.us">tgl [at] sss.pgh.p=
a.us</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"bo=
rder-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding=
-left: 1ex;">
<br>
=A0 Perhaps
postgres isn't a member of myadmin?<br>
<br></blockquote></div><br>That's what I was missing -- thanks Tom.<br>=
<br>Joe<br>

--005045015db29ac60b04784468a7--