PostgreSQL Charm

Postgresql home directory is world readable

Bug #1993276 reported by DUFOUR Olivier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
PostgreSQL Charm
New
Undecided
Unassigned

Bug Description

Part of the recommendation for CIS hardening 6.2.6 to ensure users' home directories are not world readable,
postgres user's home which is "/var/lib/postgresql/" is currently created with 0755 which breaks this rule.
Although the behavior is the same on Bionic and Jammy as well, here is an example from Focal :
ubuntu@node-0:~/postgresql$ ls -la /var/lib/postgresql/
total 12
drwxr-xr-x 3 postgres postgres 4096 Oct 18 07:37 .
drwxr-xr-x 48 root root 4096 Oct 18 07:37 ..
drwxr-xr-x 3 postgres postgres 4096 Oct 18 07:37 12

Looking at first glance, this seems to be related to the package installation scripts from postgresql-common packages.
With the following happening in postgresql-common.postinst :
    # ensure home directory ownership
    mkdir -p /var/lib/postgresql
    su -s /bin/sh postgres -c "test -O /var/lib/postgresql &&
            test -G /var/lib/postgresql" || \
        chown postgres:postgres /var/lib/postgresql

However it might be required to check as well if changing the access rules wouldn't break partially the charm, especially in regard to the functionality of some potential subordinates charm such as nrpe.

See original description
Przemyslaw Hausman (phausman)
tags: added: cis-hardening
DUFOUR Olivier (odufourc)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.