Permission denied for COPY file on valid directory - postgresql

My PostgreSQL v10 is running on a UBUNTU server. The user group www-data contains the user postgres, as checked by grep ^www-data /etc/group. When I do sudo chown -R :postgres MyPath it works fine, but when I change to sudo chown -R :www-data MyPath it not works.
How to set permissions for postgres user access other user group?
NOTES
As #LaurenzAlbe suggested on comment, the ls -ld myPath is drwxrwxr-x 29 root postgres 4096 Feb 27 15:54 myPath
and id postgres is uid=112(postgres) gid=117(postgres) groups=117(postgres),33(www-data),116(ssl-cert)

Related

Create empty directories with cloud_init

I am trying to configure an user account using one cloud-init yaml file that include a call to write_files module, like this:
write_files:
#passwd file for vncserver
- path: /home/ubuntu/.vnc/passwd
owner: ubuntu:ubuntu
permissions: '0600'
defer: true
encoding: b64
content: bmtzZGN1eQo=
The file is created as expected, but the problem is that the parent directory is owned by root, and not by ubuntu user.
$ ls -la .vnc/
total 12
drwxr-xr-x 2 root root 4096 Dec 20 16:24 .
drwxr-x--- 5 ubuntu ubuntu 4096 Dec 20 16:24 ..
-rw------- 1 ubuntu ubuntu 8 Dec 20 16:24 passwd
I tried to manually create the /home/ubuntu/.vnc/ directory prior to create the passwd file to be able to set the ownership of the directory, just to find that documentation of write_files does not explain how to create (empty) directories.
I know that I could do this using runcmd module to insert a command like this:
runcmd:
- mkdir --mode 0600 --parents /home/ubuntu/.vnc
- echo bmtzZGN1eQo | base64 -d > /home/ubuntu/.vnc/passwd
- chmod 0600 /home/ubuntu/.vnc/passwd
but this seems to be too complex to do such small task.
It is possible to use write_files module to create directories or change ownership/permission of existing directories?

`pg_ls_dir` can query some directories, but not others

On my system, /home and /etc have exactly the same permissions:
$ ls -ld /home /etc
drwxr-xr-x 67 root root 4096 Nov 13 15:59 /etc
drwxr-xr-x 3 root root 4096 Oct 18 13:45 /home
However, Postgres can read one, but not the other:
test=# select count(*) from (select pg_ls_dir('/etc')) a;
count
-------
149
(1 row)
test=# select count(*) from (select pg_ls_dir('/home')) a;
ERROR: could not open directory "/home": Permission denied
Even though the user the DB is running as can, in fact, run ls /home:
$ sudo -u postgres ls /home > /dev/null && echo "ls succeeded"
ls succeeded
What is going on?
My postgres version is 11.5, running on Arch Linux.
I figured it out, it is because Arch's bundled postgresql.service file set ProtectHome=true, causing systemd to use Linux mount namespaces to block the postgres processes from accessing /home.

What does 1000 mean in chgrp and chown?

I am reading a blog to integrate EFK(a log system) into k8s in centos 7.4. There are following instructions:
# mkdir ~/es_data
# chmod g+rwx es_data
# chgrp 1000 es_data
# chown 1000 -R es_data
# ls -l /root/es_data/
total 8
drwxrwxr-x 2 1000 1000 4096 Jun 8 09:50 ./
drwx------ 8 root root 4096 Jun 8 09:50 ../
I log in as root. The instructions say, If I do chgrp 1000 es_data and chown 1000 -R es_data, the director's owner and group would be 1000. But when I follow the instructions:
I see following:
drwxr-xr-x. 2 master16g master16g 6 Jul 11 15:27 es_data
The owner and group appears to machine hostname, master16g.
Could someone drop me hints what happens here for chgrp 1000 and chown 1000?
chown changes the owner, chgrp changes the group. Because you have user and group both named master16g having 1000 as UID and GID respectively, this is why you see the user name and the group name on the list. chown accepts UID as parameter as well as username, this is well documented in the manual. chgrp also accepts GID and group name. You can change both also with one command chown 1000:1000 es_data -R or chown master16g:master16g es_data -R.
First Linux user has usually UID/GID 1000.
For instance, if you chown 0:1000 file you will see root:master16g as the file owner.
You can get the details of the elasticsearch user by running id elasticsearch.

FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied

I believe I ended up mixing up permissions at /etc/ssl directories tree as the last modification was made on 18th November and a day after I could not get my PostgreSQL to work.
When I type in
sudo service postgresql start
I get
FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied
Checking permissions
~$ sudo -i
~$ ls -la /etc/ssl/private
drw-r----- 2 root ssl-cert 4096 Nov 18 21:10 .
-rwxrwxrwx 1 postgres postgres 1704 Set 4 11:26 ssl-cert-snakeoil.key
Checking group composition
~$ id postgres
uid=114(postgres) gid=127(postgres) groups=127(postgres),114(ssl-cert)
Also I noticed that my ssl-cert-snakeoil.pem file at /etc/ssl/certs/ doesn't have a symlink. I don't know if this makes any difference...
Please, help me sort this out.
Thanks.
Edit: Should it be posted on serverfault instead?
Try adding postgres user to the group ssl-cert
Run the below code to fix your issue:
# > It happened to me and it turned out that I removed erroneously the postgres user from "ssl-cert" group, set it back with
sudo gpasswd -a postgres ssl-cert
# Fixed ownership and mode
sudo chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
sudo chmod 740 /etc/ssl/private/ssl-cert-snakeoil.key
# now postgresql starts! (and install command doesn't fail anymore)
sudo /etc/init.d/postgresql start
courtsey to GabLeRoux
Check the output of
$ sudo -u postgres
$ cd /etc/ssl/private
$ ls
If the response is "Permission denied" do
$ chown postgres:ssl-cert /etc/ssl/private/
$ chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key
Only thing that will work if you have changed permissions for /etc/ssl/private
mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private
Copy this whole command (It's a one line code).
If this doesn't work for you, ckeck your postgres user groups by groups postgres and make sure your postgres user have ssl-cert root postgres (Order doesn't matter).
Now lets check your file permissions on ssl/private :
$ ls -la /etc/ssl/
> drwx------ 2 postgres root private
If this is not the output change your permissions with sudo chmod -R 700 /etc/ssl/private and for owners chown -R postgres:root /etc/ssl/private
//Now check permissions on ssl-cert-snakeoil.key,
//which will be inside your **private** directory.
$ ls -la /etc/ssl/private/ssl-cert-snakeoil.key
> -rwx------ 1 postgres root /etc/ssl/private/ssl-cert-snakeoil.key
I was suffering from this issue when attempting to start Postgresql on a remote docker instance. I eventually tracked down the crazy solution here. Basically you have to recreate the directories, chown on it's own doesn't work:
mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private
This error was preventing my PostgreSQL server from running locally.
The following worked for me:
sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key
sudo chmod 600 /etc/ssl/private/ssl-cert-snakeoil.key
Also make sure that /etc/ssl/private has enough permissions.
Some programs can be incredibly pedantic and cost you valuable hours. By running journalctl after sudo systemctl start postgresql I'd see various errors like:
FATAL: could not load private key file "/etc/ssl/private/ssl-cert-snakeoil.key": Permission denied
FATAL: private key file "/etc/ssl/private/ssl-cert-snakeoil.key" must be owned by the database user or root
FATAL: private key file "/etc/ssl/private/ssl-cert-snakeoil.key" has group or world access
DETAIL: File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
I couldn't make it with work sudo chmod root:root, so I had to settle for sudo chmod postgres:postgres.
EDIT
I haven't tried it, but running deleting and regenerating the snakeoil certificate might work as well:
make-ssl-cert generate-default-snakeoil --force-overwrite
(You may have to run it with sudo, don't know.)
Try setting permissions on the .key file to 600. Postgres doesn't like key files with group or world permissions set. You may also need to change the owner to postgres, though I'm not sure about that.
I am running the postgres server in WSL, and I was facing the error with the ssl-cert file. I managed to make it work by changing the owner of the file to the postgres user I had created, adding the expected user and group IDs to the user as required of the application (111 and 116, respectively, as gleaned from helpful error messages), and voila, I have an active server from within WSL.
sudo useradd postgres
sudo usermod -u 111 -g 116 -a -G ssl-cert postgres
sudo chown postgres /etc/ssl/private/ssl-cert-snakeoil.key
After running the above, there were two more files the user running the server (postgres for me) needed permission to access, both residing in /var/postgresql. I used sudo chown -- twice more to give ownership to postgres. Running sudo service postgresql start will tell you which files you'll need to transfer ownership of through any error messages.
I had other certificates under /etc/ssl/private and hence, changing permissions recursively was out of question.
I tried adding postgres user to ssl-cert group that didn't help either.
I modified the permission of /etc/ssl/private to 716, basically saying that anyone else other than root (user) and ssl-cert (group) can read and execute the directory.
sudo chmod 716 /etc/ssl/private
Then, I modified the ownership of ssl-cert-snakeoil.key
sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key
This worked for me, basically a combination of the answers by #devops and #Noushad

PostgreSQL: Permission denied + has wrong ownership loop?

I'm trying to run postgresql on my local machine like I usually do, however it's putting me in a situation where I can't fix. I installed postgresql91 with macports.
These are the three commands I usually have to run to get it running:
sudo sysctl -w kern.sysv.shmall=4096
sudo sysctl -w kern.sysv.shmmax=16777216
sudo su postgres -c "/opt/local/lib/postgresql91/bin/postgres -D /opt/local/var/db/postgresql91/defaultdb -p 55432"
However, it's giving me this error today:
Nets-Mac-Pro:~ emai$ sudo sysctl -w kern.sysv.shmall=4096
Password:
kern.sysv.shmall: 4096 -> 4096
Nets-Mac-Pro:~ emai$ sudo sysctl -w kern.sysv.shmmax=16777216
kern.sysv.shmmax: 16777216 -> 16777216
Nets-Mac-Pro:~ emai$ sudo su postgres -c "/opt/local/lib/postgresql91/bin/postgres -D /opt/local/var/db/postgresql91/defaultdb -p 55432"
postgres cannot access the server configuration file "/opt/local/var/db/postgresql91/defaultdb/postgresql.conf": Permission denied
When I go to /opt/local/var/db/postgresql91/ and do an ls -l this is what comes up:
drwx------ 18 root wheel 612 Jun 28 12:44 defaultdb
So I decided to add the postgres user to the wheel group, and then chmod defaultdb to 770.
drwxrwx--- 18 root wheel 612 Jun 28 12:44 defaultdb
I still get the error:
FATAL: could not open configuration file "/opt/local/var/db/postgresql91/defaultdb/postgresql.conf": Permission denied
And so I change the file rights from:
-rw------- 1 root wheel 19170 Jan 7 11:52 postgresql.conf
to:
-rw-rw---- 1 root wheel 19170 Jan 7 11:52 postgresql.conf
And now it complains that when I run the command again:
Nets-Mac-Pro:~ emai$ sudo su postgres -c "/opt/local/lib/postgresql91/bin/postgres -D /opt/local/var/db/postgresql91/defaultdb -p 55432"
FATAL: data directory "/opt/local/var/db/postgresql91/defaultdb" has wrong ownership
HINT: The server must be started by the user that owns the data directory.
I have no clue how I used to run the postgres server considering the file permissions of the files. Where do I find the data folder that it is hinting me about? Is there a better way to fix this?
Postgres should be owner, and the only user capable of writing to, data directory.
So, do:
sudo chown -Rf postgres:postgres /opt/local/var/db/postgresql91/defaultdb
sudo chmod 700 /opt/local/var/db/postgresql91/defaultdb
and it should be fine.