[Pkg-postgresql-public] Bug#739276: Bug#739276: postgresql: Put pgstat in /var/run

Sat Mar 8 16:53:07 UTC 2014

Hey all,

Christian Tacke [2014-03-08 12:56 +0100]:
> > > Note that this is a little too simplistic. This directory is only
> > > writable to clusters owned by postgres. While that is the default, you
> > > can assign any other owner, and you can even call pg_createcluster as
> > > a normal user and put everything into your $HOME; in those cases,
> > > /tmp/ will be used for the Unix socket, and we can't use
> > > /var/run/postgresql/.
> > 
> > pg_createcluster will still want to write to /etc/postgresql which is
> > owned by postgres, so the stats_temp_directory doesn't make the
> > situation worse.
> 
> /etc/postgresql is even owned by root on my system.
> /etc/postgresql/VERSION is owned by postgres though.
> 
> Note that pg_ctlcluster creates the stats_temp_directory
> and sets the owner of that directory to the cluster owner.
> So for clusters that root/postgres created but hands over
> to other people, this should actually work. (Not tested!)

Yes, as long as the init scripts (which run as root) do that, the init
script could pre-create the stats dir (the patch doesn't currently do
that, though). It would still not work to run pg_ctlcluster start as
the cluster owner, though.

> /tmp is possibly still better than the data directory.

Yes, indeed. Especially on machines with a reasonable amount of
memory it is advisable to put /tmp/ on a tmpfs, and I guess many
people do that (reduces battery usage, HD
wakeups/wearout/fragmentation, and on servers to increase
performance).

> SECURITY consideration: I have not reviewed pg_ctlcluster
> for creating the stat_tmp directory in a safe way. The name
> of the directory is very predictable, so this might be an
> issue.

pg_ctlcluster wouldn't do that, that's postgres itself. But creating
directories is generally safe, as mkdir() fails if the file already
exists (even as a dangling symlink); it's creating temporary files
which needs special attention (O_EXCL).

> I'm suggesting to use my patch for now/starters.
> 
> It shouldn't break anything for admin-created clusters that
> wasn't broken before. (For those, the tmp-dir should be
> created correctly by pg_ctlcluster).

As I wrote, it will break admin-created clusters which are not owned
by "postgres". They currently work just fine now.

> Very simple mitigation: Add some more documentation to
> createcluster.conf on the lines of
> # Clusters created by normal users will need to change this
> # option in postgresql.conf, because the directory will not
> # be setup properly for them.

No, I don't believe in configuring broken defaults. Then let's rather
only configure this for owners which can actually write
/var/run/postgres/, so that the status quo is kept for clusters of
other owners.

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)