PostgreSQL Charm

  1. Bug #1993276
  2. Activity log

Activity log for bug #1993276

Date Who What changed Old value New value Message
2022-10-18 09:30:56 DUFOUR Olivier bug added bug
2022-10-18 09:32:47 Przemyslaw Hausman tags cis-hardening
2022-10-18 09:44:02 DUFOUR Olivier description Part of the recommendation for CIS hardening 6.2.8 to ensure users' home directories are not world readable, postgres user's home which is "/var/lib/postgresql/" is currently created with 0755 which breaks this rule. Although the behavior is the same on Bionic and Jammy as well, here is an example from Focal : ubuntu@node-0:~/postgresql$ ls -la /var/lib/postgresql/ total 12 drwxr-xr-x 3 postgres postgres 4096 Oct 18 07:37 . drwxr-xr-x 48 root root 4096 Oct 18 07:37 .. drwxr-xr-x 3 postgres postgres 4096 Oct 18 07:37 12 Looking at first glance, this seems to be related to the package installation scripts from postgresql-common packages. With the following happening in postgresql-common.postinst : # ensure home directory ownership mkdir -p /var/lib/postgresql su -s /bin/sh postgres -c "test -O /var/lib/postgresql && test -G /var/lib/postgresql" || \ chown postgres:postgres /var/lib/postgresql However it might be required to check as well if changing the access rules wouldn't break partially the charm, especially in regard to the functionality of some potential subordinates charm such as nrpe. Part of the recommendation for CIS hardening 6.2.6 to ensure users' home directories are not world readable, postgres user's home which is "/var/lib/postgresql/" is currently created with 0755 which breaks this rule. Although the behavior is the same on Bionic and Jammy as well, here is an example from Focal : ubuntu@node-0:~/postgresql$ ls -la /var/lib/postgresql/ total 12 drwxr-xr-x 3 postgres postgres 4096 Oct 18 07:37 . drwxr-xr-x 48 root root 4096 Oct 18 07:37 .. drwxr-xr-x 3 postgres postgres 4096 Oct 18 07:37 12 Looking at first glance, this seems to be related to the package installation scripts from postgresql-common packages. With the following happening in postgresql-common.postinst :     # ensure home directory ownership     mkdir -p /var/lib/postgresql     su -s /bin/sh postgres -c "test -O /var/lib/postgresql &&             test -G /var/lib/postgresql" || \         chown postgres:postgres /var/lib/postgresql However it might be required to check as well if changing the access rules wouldn't break partially the charm, especially in regard to the functionality of some potential subordinates charm such as nrpe.