`pg_ls_dir` can query some directories, but not others - postgresql

On my system, /home and /etc have exactly the same permissions:
$ ls -ld /home /etc
drwxr-xr-x 67 root root 4096 Nov 13 15:59 /etc
drwxr-xr-x 3 root root 4096 Oct 18 13:45 /home
However, Postgres can read one, but not the other:
test=# select count(*) from (select pg_ls_dir('/etc')) a;
count
-------
149
(1 row)
test=# select count(*) from (select pg_ls_dir('/home')) a;
ERROR: could not open directory "/home": Permission denied
Even though the user the DB is running as can, in fact, run ls /home:
$ sudo -u postgres ls /home > /dev/null && echo "ls succeeded"
ls succeeded
What is going on?
My postgres version is 11.5, running on Arch Linux.

I figured it out, it is because Arch's bundled postgresql.service file set ProtectHome=true, causing systemd to use Linux mount namespaces to block the postgres processes from accessing /home.

Related

Create empty directories with cloud_init

I am trying to configure an user account using one cloud-init yaml file that include a call to write_files module, like this:
write_files:
#passwd file for vncserver
- path: /home/ubuntu/.vnc/passwd
owner: ubuntu:ubuntu
permissions: '0600'
defer: true
encoding: b64
content: bmtzZGN1eQo=
The file is created as expected, but the problem is that the parent directory is owned by root, and not by ubuntu user.
$ ls -la .vnc/
total 12
drwxr-xr-x 2 root root 4096 Dec 20 16:24 .
drwxr-x--- 5 ubuntu ubuntu 4096 Dec 20 16:24 ..
-rw------- 1 ubuntu ubuntu 8 Dec 20 16:24 passwd
I tried to manually create the /home/ubuntu/.vnc/ directory prior to create the passwd file to be able to set the ownership of the directory, just to find that documentation of write_files does not explain how to create (empty) directories.
I know that I could do this using runcmd module to insert a command like this:
runcmd:
- mkdir --mode 0600 --parents /home/ubuntu/.vnc
- echo bmtzZGN1eQo | base64 -d > /home/ubuntu/.vnc/passwd
- chmod 0600 /home/ubuntu/.vnc/passwd
but this seems to be too complex to do such small task.
It is possible to use write_files module to create directories or change ownership/permission of existing directories?

Permission denied for COPY file on valid directory

My PostgreSQL v10 is running on a UBUNTU server. The user group www-data contains the user postgres, as checked by grep ^www-data /etc/group. When I do sudo chown -R :postgres MyPath it works fine, but when I change to sudo chown -R :www-data MyPath it not works.
How to set permissions for postgres user access other user group?
NOTES
As #LaurenzAlbe suggested on comment, the ls -ld myPath is drwxrwxr-x 29 root postgres 4096 Feb 27 15:54 myPath
and id postgres is uid=112(postgres) gid=117(postgres) groups=117(postgres),33(www-data),116(ssl-cert)

MacOS Postgres 10 can't read csv file

I'm trying to copy a CSV file into a table by running a simple \copy command in Postgres;
postgres-# \copy solved_at FROM '/Users/funnychef/Downloads/export.csv' DELIMITER AS ',';
Every time I run the command I receive the Permission Denied error:
/Users/funnychef/Downloads/export.csv: Permission denied
The permissions on the file are wide open;
$ ls -ltr ~/Downloads/expor.csv
-rwxrwxrwx 1 funnychef staff 145524 Jul 8 22:15 /Users/funnychef/Downloads/export.csv
I assumed that the issue was related to the _postgres user not having access to the file so I made that user the owner of the file but still receive the error.
$ ls -ltr ~/Downloads/expor.csv
-rwxrwxrwx 1 _postgres staff 145524 Jul 8 22:15 /Users/funnychef/Downloads/export.csv
What am I missing?
Copy your file to /tmp directory and read the csv. The normal settings for /tmp are 1777, which ls shows as drwxrwxrwt

Effective user id does not change after making the file owned by root

I'm currently reading a book on programming with C, I got to a part where I've got to write a program which will display the real uid and effective uid that the file is being executed on. After compiling the code with gcc, I input the command to see the current uOwner and gOwner ls- l id_demo the output is this:
-rwxrwxr-x 1 user user 8629 Sep 21 13:04 id_demo
I then execute the program itself, this is what I get:
real uid: 1000 effective uid: 1000
...so far so good. I then input a command to change the owner of the file:
sudo chown root:root ./id_demo
The ls -l confirms that the owner has been changed to root:
-rwxrwxr-x 1 root root 8629 Sep 21 13:04 id_demo
Again, executing the program shows real uid and uid as 1000. The last step after which the uid must be 0 is this: sudo chmod u+s ./uid_demo but for me they stay as 1000, where in the book the output is clearly show to be this:
real uid: 1000
effective uid: 0
Any ideas why is this happening?
UPDATE
id_demo source code:
#include <stdio.h>
int main ()
{
printf("real uid: %d\n", getuid());
printf("effective uid: %d\n", geteuid());
}
UPDATE 2
Screen shots
PLEASE HELP. I'm going crazy I spent 6+hour looking for the solution and I need to move on.
We've figured it out. The cause is an ecryptfs-mounted home directory. The mount output contains the following line:
/home/evgeny/.Private on /home/evgeny type ecryptfs
That means that the home directory isn't actually part of the root filesystem (that has the necessary suid flag), but its own virtual filesystem that apparently doesn't support setuid binaries by default. I have successfully reproduced the issue with a test user that has an encrypted home directory.
It is possible to add the suid flag to the ecryptfs with the following command:
sudo mount -i -o remount,suid /home/evgeny
I'm not certain though how safe that is, nor how to change it permanently so that it would survive reboots.
This works for me:
compile
$ gcc uid_demo.c -o uid_demo
$ ll
total 12
-rwxrwxr-x 1 saml saml 6743 Sep 21 17:05 uid_demo
-rw-rw-r-- 1 saml saml 116 Sep 21 16:58 uid_demo.c
chown
$ sudo chown root:root uid_demo
$ ll
total 12
-rwxrwxr-x 1 root root 6743 Sep 21 17:05 uid_demo
-rw-rw-r-- 1 saml saml 116 Sep 21 16:58 uid_demo.c
chmod
$ sudo chmod u+s uid_demo
$ ll
total 12
-rwsrwxr-x 1 root root 6743 Sep 21 17:05 uid_demo
-rw-rw-r-- 1 saml saml 116 Sep 21 16:58 uid_demo.c
run
$ ./uid_demo
real uid: 500
effective uid: 0

PostgreSQL: Permission denied + has wrong ownership loop?

I'm trying to run postgresql on my local machine like I usually do, however it's putting me in a situation where I can't fix. I installed postgresql91 with macports.
These are the three commands I usually have to run to get it running:
sudo sysctl -w kern.sysv.shmall=4096
sudo sysctl -w kern.sysv.shmmax=16777216
sudo su postgres -c "/opt/local/lib/postgresql91/bin/postgres -D /opt/local/var/db/postgresql91/defaultdb -p 55432"
However, it's giving me this error today:
Nets-Mac-Pro:~ emai$ sudo sysctl -w kern.sysv.shmall=4096
Password:
kern.sysv.shmall: 4096 -> 4096
Nets-Mac-Pro:~ emai$ sudo sysctl -w kern.sysv.shmmax=16777216
kern.sysv.shmmax: 16777216 -> 16777216
Nets-Mac-Pro:~ emai$ sudo su postgres -c "/opt/local/lib/postgresql91/bin/postgres -D /opt/local/var/db/postgresql91/defaultdb -p 55432"
postgres cannot access the server configuration file "/opt/local/var/db/postgresql91/defaultdb/postgresql.conf": Permission denied
When I go to /opt/local/var/db/postgresql91/ and do an ls -l this is what comes up:
drwx------ 18 root wheel 612 Jun 28 12:44 defaultdb
So I decided to add the postgres user to the wheel group, and then chmod defaultdb to 770.
drwxrwx--- 18 root wheel 612 Jun 28 12:44 defaultdb
I still get the error:
FATAL: could not open configuration file "/opt/local/var/db/postgresql91/defaultdb/postgresql.conf": Permission denied
And so I change the file rights from:
-rw------- 1 root wheel 19170 Jan 7 11:52 postgresql.conf
to:
-rw-rw---- 1 root wheel 19170 Jan 7 11:52 postgresql.conf
And now it complains that when I run the command again:
Nets-Mac-Pro:~ emai$ sudo su postgres -c "/opt/local/lib/postgresql91/bin/postgres -D /opt/local/var/db/postgresql91/defaultdb -p 55432"
FATAL: data directory "/opt/local/var/db/postgresql91/defaultdb" has wrong ownership
HINT: The server must be started by the user that owns the data directory.
I have no clue how I used to run the postgres server considering the file permissions of the files. Where do I find the data folder that it is hinting me about? Is there a better way to fix this?
Postgres should be owner, and the only user capable of writing to, data directory.
So, do:
sudo chown -Rf postgres:postgres /opt/local/var/db/postgresql91/defaultdb
sudo chmod 700 /opt/local/var/db/postgresql91/defaultdb
and it should be fine.