Skip to content

Commit

Permalink
postgresql: give postgres user a shell
Browse files Browse the repository at this point in the history
  • Loading branch information
@domenkozar
domenkozar committed Sep 26, 2018
1 parent e0f4610 commit 82feb4b
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions nixos/modules/services/databases/postgresql.nix
View file
Expand Up @@ -188,6 +188,8 @@ in
uid = config.ids.uids.postgres;
group = "postgres";
description = "PostgreSQL server user";
home = "${cfg.dataDir}";
useDefaultShell = true;
};

users.groups.postgres.gid = config.ids.gids.postgres;
Expand Down

3 comments on commit 82feb4b

@dtzWill
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems unusual, could you maybe add a comment (here or perhaps in the code) explaining this? Is it something everyone should have enabled?

@domenkozar
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it unusual? The motivation is that you use postgres user to access root of the database and by having a shell set, you get shell history, etc.

@thoughtpolice
Copy link
Member

@thoughtpolice thoughtpolice commented on 82feb4b Nov 4, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For any historians who stumble here, it is actually more subtle than that and my motivation was not to get shell history, but because Postgres is subtly broken without executing in a shell-capable environment. See da504b6 (temporary and may go away in the future)

da504b673918f44921907aa5ef318a1eb292f7dd nixos/postgresql: give the postgres user a homedir and shell

For certain SQL operations such as

    COPY (...) [TO|FROM] PROGRAM '...' WITH (FORMAT CSV)

the designated PostgreSQL server user must be able to execute the
specified program and pipe the data into it; however, Postgres executes
these commands *under a shell* in order to support features such as
traditional piping, for commands like split or gzip. With no homedir and
no shell assigned, Postgres fails to execute the shell, resulting in a
hang that then later results in the query failing. Depending on the
program and query executed, this may happen at seemingly random times
due to buffering/piping issues.

While it isn't traditional to assign a shell to the database user (at
least on NixOS), doing so restores this functionality, which is
extremely useful for e.g. bulk ETL pipelines that copy to/from external
data files.

Signed-off-by: Austin Seipp <aseipp@pobox.com>

So this is actually an important bug-fixing change, nonetheless (I suppose homeDir isn't strictly needed but it doesn't hurt and being there by default is probably reasonable when you do things like sudo -i -u postgres, too, like if you want to edit pg_hba.conf)

Please sign in to comment.