I believe I ended up mixing up permissions at /etc/ssl directories tree as the last modification was made on 18th November and a day after I could not get my PostgreSQL to work.
When I type in
sudo service postgresql start
I get
FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied
Checking permissions
~$ sudo -i
~$ ls -la /etc/ssl/private
drw-r----- 2 root ssl-cert 4096 Nov 18 21:10 .
-rwxrwxrwx 1 postgres postgres 1704 Set 4 11:26 ssl-cert-snakeoil.key
Checking group composition
~$ id postgres
uid=114(postgres) gid=127(postgres) groups=127(postgres),114(ssl-cert)
Also I noticed that my ssl-cert-snakeoil.pem file at /etc/ssl/certs/ doesn't have a symlink. I don't know if this makes any difference...
Please, help me sort this out.
Thanks.
Edit: Should it be posted on serverfault instead?
Try adding postgres user to the group ssl-cert
Run the below code to fix your issue:
# > It happened to me and it turned out that I removed erroneously the postgres user from "ssl-cert" group, set it back with
sudo gpasswd -a postgres ssl-cert
# Fixed ownership and mode
sudo chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
sudo chmod 740 /etc/ssl/private/ssl-cert-snakeoil.key
# now postgresql starts! (and install command doesn't fail anymore)
sudo /etc/init.d/postgresql start
courtsey to GabLeRoux
Check the output of
$ sudo -u postgres
$ cd /etc/ssl/private
$ ls
If the response is "Permission denied" do
$ chown postgres:ssl-cert /etc/ssl/private/
$ chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key
Only thing that will work if you have changed permissions for /etc/ssl/private
mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private
Copy this whole command (It's a one line code).
If this doesn't work for you, ckeck your postgres user groups by groups postgres and make sure your postgres user have ssl-cert root postgres (Order doesn't matter).
Now lets check your file permissions on ssl/private :
$ ls -la /etc/ssl/
> drwx------ 2 postgres root private
If this is not the output change your permissions with sudo chmod -R 700 /etc/ssl/private and for owners chown -R postgres:root /etc/ssl/private
//Now check permissions on ssl-cert-snakeoil.key,
//which will be inside your **private** directory.
$ ls -la /etc/ssl/private/ssl-cert-snakeoil.key
> -rwx------ 1 postgres root /etc/ssl/private/ssl-cert-snakeoil.key
I was suffering from this issue when attempting to start Postgresql on a remote docker instance. I eventually tracked down the crazy solution here. Basically you have to recreate the directories, chown on it's own doesn't work:
mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private
This error was preventing my PostgreSQL server from running locally.
The following worked for me:
sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key
sudo chmod 600 /etc/ssl/private/ssl-cert-snakeoil.key
Also make sure that /etc/ssl/private has enough permissions.
Some programs can be incredibly pedantic and cost you valuable hours. By running journalctl after sudo systemctl start postgresql I'd see various errors like:
FATAL: could not load private key file "/etc/ssl/private/ssl-cert-snakeoil.key": Permission denied
FATAL: private key file "/etc/ssl/private/ssl-cert-snakeoil.key" must be owned by the database user or root
FATAL: private key file "/etc/ssl/private/ssl-cert-snakeoil.key" has group or world access
DETAIL: File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
I couldn't make it with work sudo chmod root:root, so I had to settle for sudo chmod postgres:postgres.
EDIT
I haven't tried it, but running deleting and regenerating the snakeoil certificate might work as well:
make-ssl-cert generate-default-snakeoil --force-overwrite
(You may have to run it with sudo, don't know.)
Try setting permissions on the .key file to 600. Postgres doesn't like key files with group or world permissions set. You may also need to change the owner to postgres, though I'm not sure about that.
I am running the postgres server in WSL, and I was facing the error with the ssl-cert file. I managed to make it work by changing the owner of the file to the postgres user I had created, adding the expected user and group IDs to the user as required of the application (111 and 116, respectively, as gleaned from helpful error messages), and voila, I have an active server from within WSL.
sudo useradd postgres
sudo usermod -u 111 -g 116 -a -G ssl-cert postgres
sudo chown postgres /etc/ssl/private/ssl-cert-snakeoil.key
After running the above, there were two more files the user running the server (postgres for me) needed permission to access, both residing in /var/postgresql. I used sudo chown -- twice more to give ownership to postgres. Running sudo service postgresql start will tell you which files you'll need to transfer ownership of through any error messages.
I had other certificates under /etc/ssl/private and hence, changing permissions recursively was out of question.
I tried adding postgres user to ssl-cert group that didn't help either.
I modified the permission of /etc/ssl/private to 716, basically saying that anyone else other than root (user) and ssl-cert (group) can read and execute the directory.
sudo chmod 716 /etc/ssl/private
Then, I modified the ownership of ssl-cert-snakeoil.key
sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key
This worked for me, basically a combination of the answers by #devops and #Noushad
Related
I am new to postgres and was following this tutorial for setting Up Physical Streaming Replication with PostgreSQL
In step 3 while running the following command:
sudo -u postgres rm -r /var/lib/postgresql/12/main/*
I was getting the following error
rm: cannot remove '/var/lib/postgresql/12/main/*': No such file or directory
while the /var/lib/postgresql/12/main/ clearly had many files if explored manually.
In desperation, I deleted all the files inside /var/lib/postgresql/12/main/ manually and now any of the further steps are not working.
I have even tried to uninstall and install postgresql-12 using
sudo apt-get --purge remove postgresql
and
sudo apt -y install postgresql-12 postgresql-client-1 respectively
I have even tried doing the whole process again from start and while running the following command:
sudo -u postgres psql
sudo pg_ctlcluster 12 main start
I got this error:
Job for postgresql#12-main.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status postgresql#12-main.service" and "journalctl -xe" for details.
while resolving the above issue using :
sudo chown postgres.postgres /var/lib/postgresql/12/main/global/pg_internal.init
I got this error...
chown: cannot access '/var/lib/postgresql/12/main/global/pg_internal.init': No such file or directory
I think this is happening because of the manual deletion of all the files and folder in
/var/lib/postgresql/12/main/
Any help is much appreciated
Thanks
The glob * is evaluated by your regular user before the sudo is invoked, but your regular user can't see into that directory. So what gets sent to the postgres user is an order to remove the file with the literal name of '/var/lib/postgresql/12/main/*', which doesn't exist. You would need to have your shell that evaluated the glob be postgres, so it can see what it is doing before invoking rm. Something like:
sudo -u postgres bash -c 'rm -r /var/lib/postgresql/12/main/*'
For the rest of it, you didn't give enough details to know what is going on, like what was in the logs, or what were the directory listings at the time your command failed.
Im writing a shell to automate a process this shell will be run as root or as another user but not as the postgres user (meaning the user will just run the script)
What i did as a postgres user while testing was
touch /var/lib/postgresql/10/main/recovery.conf
sudo nano recovery.conf (wrote some content )
ctrl +O
However whenever I try to do this by using the following lines in my shell as as another user (including root)
sudo -H -u postgres bash -c "touch /var/lib/postgresql/10/main/recovery.conf"
The file is created as postgres user which is what i intended, and then i run
sudo -H -u postgres bash -c echo "content" > /var/lib/postgresql/10/main/recovery.conf
and get a
-bash: /var/lib/postgresql/10/main/recovery.conf: Permission denied
How come I can create the file but not put content on it?
I already tried giving 775 and 777 permisions using chmod
chmod 775 recovery.conf
as the psotgres user and i get
-rwxrwxr-x 1 postgres postgres 133 May 11 22:11 recovery.conf
to this file as a postgres user and still the error persists so im confused about whats going on
At the second line where you try to put the "echo" command, please use:
/var/lib/postgresql/10/main/recovery.conf
With a / at the beginning
I am trying to run multiple mongod instances on the same centos machine with different config files.
I am getting following error while running the instance as a service:
sudo service mongod1 start
/var/lib/mongo1: boost::filesystem::status: Permission denied: "/var/lib/mongo1/mongod.lock"
I have added the permissions for the /var/lib/mongo1 using:
sudo chmod -R 600 /var/lib/mongo1
I also tried with 700, 755 and 777 at the end but nothing seems to work.
mongod:mongod is the owner of the folder /var/lib/mongo1
Any help is appreciated.
I know this is really late but I was struggling with this for days and just now found the fix. That being said for future users running into this issue the solution if you're using SELinux is to check the context of the default mongodb path against your own to make sure they are the same by executing
ls -dZ /var/lib/mongo/
the output should look something like this
drwxr-xr-x. mongod mongod system_u:object_r:mongod_var_lib_t:s0 /var/lib/mongo/
if it's not then you can copy it by doing
chcon -R --reference=/var/lib/mongo /your/path
the source can be found here
Maybe the lock file is missing? Which might explain why chmod isn't having the desired effect...
Try:
touch /var/mongo1/mongod.lock
chown mongod:mongod
chmod 600 /var/mongo1/mongod.lock
important :
Don't try to restart mongo using sudo as it tries to change the user to root where as /var/lib/mongodb owner is mongod:mongod
Please remember that Directories needs to have execute permission, but the files within the directories do not need to execute permission.
The following 2 commands worked for me
$ sudo chmod -R 770 /var/lib/mongo1
$ sudo find /var/lib/mongo1 -type f -exec chmod 660 {} \;
This will first give everything under /var/lib/mongo1 execute permission, and then return all the normal files to having only read and write, but not execute.
I'm trying to run postgresql on my local machine like I usually do, however it's putting me in a situation where I can't fix. I installed postgresql91 with macports.
These are the three commands I usually have to run to get it running:
sudo sysctl -w kern.sysv.shmall=4096
sudo sysctl -w kern.sysv.shmmax=16777216
sudo su postgres -c "/opt/local/lib/postgresql91/bin/postgres -D /opt/local/var/db/postgresql91/defaultdb -p 55432"
However, it's giving me this error today:
Nets-Mac-Pro:~ emai$ sudo sysctl -w kern.sysv.shmall=4096
Password:
kern.sysv.shmall: 4096 -> 4096
Nets-Mac-Pro:~ emai$ sudo sysctl -w kern.sysv.shmmax=16777216
kern.sysv.shmmax: 16777216 -> 16777216
Nets-Mac-Pro:~ emai$ sudo su postgres -c "/opt/local/lib/postgresql91/bin/postgres -D /opt/local/var/db/postgresql91/defaultdb -p 55432"
postgres cannot access the server configuration file "/opt/local/var/db/postgresql91/defaultdb/postgresql.conf": Permission denied
When I go to /opt/local/var/db/postgresql91/ and do an ls -l this is what comes up:
drwx------ 18 root wheel 612 Jun 28 12:44 defaultdb
So I decided to add the postgres user to the wheel group, and then chmod defaultdb to 770.
drwxrwx--- 18 root wheel 612 Jun 28 12:44 defaultdb
I still get the error:
FATAL: could not open configuration file "/opt/local/var/db/postgresql91/defaultdb/postgresql.conf": Permission denied
And so I change the file rights from:
-rw------- 1 root wheel 19170 Jan 7 11:52 postgresql.conf
to:
-rw-rw---- 1 root wheel 19170 Jan 7 11:52 postgresql.conf
And now it complains that when I run the command again:
Nets-Mac-Pro:~ emai$ sudo su postgres -c "/opt/local/lib/postgresql91/bin/postgres -D /opt/local/var/db/postgresql91/defaultdb -p 55432"
FATAL: data directory "/opt/local/var/db/postgresql91/defaultdb" has wrong ownership
HINT: The server must be started by the user that owns the data directory.
I have no clue how I used to run the postgres server considering the file permissions of the files. Where do I find the data folder that it is hinting me about? Is there a better way to fix this?
Postgres should be owner, and the only user capable of writing to, data directory.
So, do:
sudo chown -Rf postgres:postgres /opt/local/var/db/postgresql91/defaultdb
sudo chmod 700 /opt/local/var/db/postgresql91/defaultdb
and it should be fine.
Keys are properly deployed in ~/.ssh/authorized_keys
Yet ssh keeps on prompting for a password.
Several issues, mostly privileges - but also related to SELinux on RedHat 6
The following script should fix them all, please replace <user>:<group> with your matching userid and group
chown -R <user>:<group> ~/.ssh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
restorecon -R -v ~/.ssh
I'd agree with the changes above working on most linux variants in the root account.
I have had a problem with RedHat 6.3 with trying to get a postgres user account to use DSA auth. (6.3 running in VirtualBox)
The issue can be that the basic selinux permissions are wrong. Restorecon wont help in this case.
(After restorecon)
drwx------. postgres postgres unconfined_u:object_r:var_lib_t:s0 .ssh
I have fixed this with :
chcon -R -t ssh_home_t .ssh
This resolved this instance of the problem.
I had also this same issue, the proposed solution above did not solve the case for me. To summarise instructions abowe together:
Check following logfile on target system for possible details of errors: /var/log/secure
Permission of files in users ~/.ssh directory should be 600 and files should be owned By "user:group"
Permission of ~/.ssh directory should be 700 and owned By "user:group"
Permission of home directory of user ie. "~" (="~/.ssh/..") should be 755. If permissions are f.ex 775, ssh key autenthication failed in my system.
br
bruno
The above answer is quite good, I have an addition & a suggestion. The addition is in line 2 below, as home directory permissions not be more permissive than rwxr-x--- for ssh key authentication.
cd ~
chmod g-w,o-rwx .
chmod 700 .ssh
cd .ssh
chmod 600 *
chmod 644 authorized_keys
chmod 644 known_hosts
chmod 644 config
restorecon -R -v ../.ssh
The suggestion is to make use of the -vv option when testing.