Hi,
I came onto some issues with database usage with calendarserver under debian.
Debian postgres is configured out of box like [1], using peer.
peer means if username matches access is allowed.
The debian default user is caldavd, and database access using peer
can be done using setting <string>:caldav:caldavd:::</string> in
<key>DSN</key> for postgres.
Now to access the database with this setting, the user also has to be caldavd.
I used calendarserver_bootstrap_database to install the database.
(@Debian-devel: debian specific patches in quilt format attached for 4.1.1 and
trunk)
To get it to work I used DAEMON_OPTS="-u caldavd -g caldavd", eg twistd
user/group.
When running as root, the database access will fail due to that root != caldavd
for
the peer authentication.
There is a privelege "degradation" later in the code :
2012-11-14 10:56:48+0100 [-] [caldav-0] [-]
/usr/lib/python2.7/dist-packages/twisted/python/util.py:714:
exceptions.UserWarning: tried to drop privileges and setuid 115 but uid is
already 115; should we be root? Continuing.
But the code in my case runs anyway, as I am using port 8008, a non privileged
port.
My main question is if database access can be done after droping to the caldavd
user ?
or is there a reason to access the database as root ?
If it is possible to drop to caldavd the DAEMON_OPTS can be dropped.
(I guess it is always good to drop privileges when accessing services :) )
One can adapt in different ways, going to using passwords.
Apple products may have other authentication, or other authentication
might be needed for multi server.
I just wanted to try to explain the debian issues I ran into, so we can
decide what to prescribe on how to authenticate with the database.
Eg if the password method is needed or if peer can be used.
/Fred
[1] /etc/postgresql/9.1/main/pg_hba.conf
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
--- a/calendarserver/tools/bootstrapdatabase.py
+++ b/calendarserver/tools/bootstrapdatabase.py
@@ -20,16 +20,19 @@
import subprocess
import sys
-CONNECTNAME = "_postgres"
-USERNAME = "caldav"
+CONNECTNAME = "postgres"
+USERNAME = "caldavd"
DATABASENAME = "caldav"
-PGSOCKETDIR = "/Library/Server/PostgreSQL For Server Services/Socket"
-SCHEMAFILE = "/Applications/Server.app/Contents/ServerRoot/usr/share/caldavd/lib/python/txdav/common/datastore/sql_schema/current.sql"
+PGSOCKETDIR = "/var/run/postgresql"
+SCHEMAFILE = "/usr/share/pyshared/txdav/common/datastore/sql_schema/current.sql"
# Executables:
-CREATEDB = "/Applications/Server.app/Contents/ServerRoot/usr/bin/createdb"
-CREATEUSER = "/Applications/Server.app/Contents/ServerRoot/usr/bin/createuser"
-PSQL = "/Applications/Server.app/Contents/ServerRoot/usr/bin/psql"
+SUDO = "/usr/bin/sudo"
+SUDOUSER = "-u"
+
+CREATEDB = "/usr/bin/createdb"
+CREATEUSER = "/usr/bin/createuser"
+PSQL = "/usr/bin/psql"
def usage(e=None):
name = os.path.basename(sys.argv[0])
@@ -56,6 +59,9 @@
"""
cmdArgs = [
+ SUDO,
+ SUDOUSER,
+ CONNECTNAME,
CREATEUSER,
"-h", PGSOCKETDIR,
"--username=%s" % (CONNECTNAME,),
@@ -91,6 +97,9 @@
"""
cmdArgs = [
+ SUDO,
+ SUDOUSER,
+ USERNAME,
CREATEDB,
"-h", PGSOCKETDIR,
"--username=%s" % (USERNAME,),
@@ -122,6 +131,9 @@
"""
cmdArgs = [
+ SUDO,
+ SUDOUSER,
+ USERNAME,
PSQL,
"-h", PGSOCKETDIR,
"-d", DATABASENAME,
@@ -160,8 +172,12 @@
"""
cmdArgs = [
+ SUDO,
+ SUDOUSER,
+ USERNAME,
PSQL,
"-h", PGSOCKETDIR,
+ "-d", DATABASENAME,
"-U", USERNAME,
"-f", SCHEMAFILE,
]
@@ -251,12 +267,12 @@
required_version = int(found.group(1))
if version == required_version:
print "Latest schema version (%d) is installed" % (version,)
-
+
elif version == 0: # No schema installed
installSchema(verbose=verbose)
version = getSchemaVersion(verbose=verbose)
print "Successfully installed schema version %d" % (version,)
-
+
else: # upgrade needed
error(
"Schema needs to be upgraded from %d to %d" %
--- a/calendarserver/tools/bootstrapdatabase.py
+++ b/calendarserver/tools/bootstrapdatabase.py
@@ -20,15 +20,17 @@
import subprocess
import sys
-CONNECTNAME = "_postgres"
-USERNAME = "caldav"
+SUDO = "/usr/bin/sudo"
+SUDOUSER = "-u"
+CONNECTNAME = "postgres"
+USERNAME = "caldavd"
DATABASENAME = "caldav"
-SCHEMAFILE = "/Applications/Server.app/Contents/ServerRoot/usr/share/caldavd/lib/python/txdav/common/datastore/sql_schema/current.sql"
+SCHEMAFILE = "/usr/share/pyshared/txdav/common/datastore/sql_schema/current.sql"
# Executables:
-CREATEDB = "/Applications/Server.app/Contents/ServerRoot/usr/bin/createdb"
-CREATEUSER = "/Applications/Server.app/Contents/ServerRoot/usr/bin/createuser"
-PSQL = "/Applications/Server.app/Contents/ServerRoot/usr/bin/psql"
+CREATEDB = "/usr/bin/createdb"
+CREATEUSER = "/usr/bin/createuser"
+PSQL = "/usr/bin/psql"
def usage(e=None):
name = os.path.basename(sys.argv[0])
@@ -55,6 +57,9 @@
"""
cmdArgs = [
+ SUDO,
+ SUDOUSER,
+ CONNECTNAME,
CREATEUSER,
"--username=%s" % (CONNECTNAME,),
USERNAME,
@@ -89,6 +94,9 @@
"""
cmdArgs = [
+ SUDO,
+ SUDOUSER,
+ USERNAME,
CREATEDB,
"--username=%s" % (USERNAME,),
DATABASENAME,
@@ -119,6 +127,9 @@
"""
cmdArgs = [
+ SUDO,
+ SUDOUSER,
+ USERNAME,
PSQL,
"-d", DATABASENAME,
"-U", USERNAME,
@@ -156,7 +167,11 @@
"""
cmdArgs = [
+ SUDO,
+ SUDOUSER,
+ USERNAME,
PSQL,
+ "-d", DATABASENAME,
"-U", USERNAME,
"-f", SCHEMAFILE,
]
@@ -246,12 +261,12 @@
required_version = int(found.group(1))
if version == required_version:
print "Latest schema version (%d) is installed" % (version,)
-
+
elif version == 0: # No schema installed
installSchema(verbose=verbose)
version = getSchemaVersion(verbose=verbose)
print "Successfully installed schema version %d" % (version,)
-
+
else: # upgrade needed
error(
"Schema needs to be upgraded from %d to %d" %
_______________________________________________
calendarserver-dev mailing list
calendarserver-dev@lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo/calendarserver-dev
