Pgbouncer installs full postgresql server just to get a service account
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pgbouncer (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
PGbouncer installs a full copy of the postgresql server packages on the local client just to gain a 'postgres' service account. This leads to unnecessary confusion on clients which were never intended to host an SQL service locally. I found 3 (THREE!) copies of postgresql-server of various vintages installed on a production host (left there by inattentive developers.)
The pgbouncer package is only installing postgresql packages so that it can re-use the postgres service account for file ownerships. The pgbouncer package should just create an account of its own if postgres doesn't already exist on the client host.
We use pgbouncer on clients to handle connections to remote database clusters, not a local sql service. Pgbouncer does not require sql be present on the local server at all.
This behavior leaves unexpected and unmanaged postgresql services running with package defaults for admin logins, etc. I view this as a major security problem.
| information type: | Private Security → Public Security |
| Seth Arnold (seth-arnold) wrote | #1 |
| Changed in pgbouncer (Ubuntu): | |
| status: | New → Incomplete |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in pgbouncer (Ubuntu): | |
| status: | Incomplete → Expired |
Are you sure pgbouncer is the package that is dragging in the postgresql server in your environment? On Focal, the postgresql server is in package postgresql-12 and apt-rdepends doesn't show this dependency:
$ apt-rdepends --reverse postgresql-12 | grep pgbouncer
Reading package lists... Done
Building dependency tree
Reading state information... Done
$ apt-rdepends pgbouncer | grep postgresql-12
Reading package lists... Done
Building dependency tree
Reading state information... Done
Thanks