Given that we are in OpenSolaris, I think this discussion needs to be moved to the public aliases, so I'm taking it there. There are a lot of smart folks out there who I am sure can contribute their experience and knowledge to this discussion.
We can't only serve the needs of the production/IT user at the cost of usability for the developer. "Secure by default" doesn't have to mean "PITA by default." So I appreciate Jignesh's attempt to find a solution - let's brainstorm here and see what we can come up with. Of course I don't want any TDH to be able to start the service. But I would like to understand how the webstack team has made it so easy to start the MySQL service, and why we can't do the same thing for PostgreSQL. If what the webstack team is doing is insecure, we should call that out, and figure out a more secure solution for all of us. But perhaps they have found a good compromise between security and usability. I am not sure about the user-generic SMF. It seems overly-complicated. I would be happy with a menu item Start PostgreSQL/Stop PostgreSQL and it prompts me for the root password - something like gksu. I was also going to discuss with the OpenSolaris usability folks about creating a role like "Developer" that has all the rights set up that a developer needs (start/stop MySQL/Apache/PostgreSQL, etc.). Then at install time for SXDE we can ask if the installer wants to grant Developer rights to the user they are creating. What do you think about that as a longer-term solution? Thanks, David Jignesh K. Shah wrote: > Yes I agree with James on allowing every TDH (Tom Dick Harry) access to > the SMF service. > > However there is a different way to achieve simplicity out here. > > I dont know yet how this can be done but if we have a "user" generic SMF > service where it uses the id of the calling user id , then it allows > each user to have their own "instance" of PostgreSQL server. There is a > bit of automation required specially for the "port". But I see an > advantage of this setup, we can have a very light weight PostgreSQL > server postgresql.conf that a user can start which will create a small > database in their home directory and also sets environment varaibles > (PGDATA and probably also the port) so when they do psql it connects to > user default setup unless mentioned otherwise. > > It is not clean but having a quick script to set it up for users who > want it should be easy to provide. > Logic is simple.. if script is not executed, everything works as it > works now, however if it is executed, it setups up certain default > variables and creates a light weight (default) postgresql server that > they can use a generic SMF service specially designed for it. > > This way enterprise installations are still controlled by default SMF, > plus a user generic SMF service allows to create their own light weight > setup (which we think will have easy integration for netbeans to > identify and add it transparently for that user. > > This I think enables "developers" to be independent of the > "administrator" plus really isolates other postgresql developer) on the > same system. > > What do you think? > > Regards, > Jignesh > > > James Gates wrote: >> David Van Couvering wrote: >>> Rather than get lost in the weeds of this kind of argument, I think >>> it's very simple: we should understand what we are doing for MySQL >>> and Apache, so that I as a non-root user can start the service >>> without having to go into RBAC to assign additional rights to the >>> user, and I'd like to understand why we can't do the same thing for >>> PostgreSQL. >>> >> >> Because it's a blatant security risk. The PostgreSQL SMF service runs >> as the "postgres" userid, and would typically manage all databases on >> the host (there is a 1 to many relationship between a PostgreSQL >> service and databases). >> >> We cannot allow a non-privileged user (who has nothing to do with >> database administration) to be able to shutdown the PostgreSQL service. >> >> By default only the "root" & "postgres" users can do this. The system >> administrator can allow other users to do the same by just assigning >> them the "Postgres Administration" profile in /etc/user_attr. It's not >> difficult, and is perfectly acceptable on a multi-user enterprise >> system. This is not MS Windows we're talking about! >> >> Quite frankly I'm surprised that you think this is anything other than >> correct behavior. Are you seriously suggesting we should allow >> *anyone* to shutdown an enterprise service that provides multiple >> databases to potentially thousands of clients/applications? >> >>> If what we are doing for MySQL and Apache is doing is broken, then we >>> should raise this as an issue. But assuming that what they are doing >>> is within the bounds of our security policies, then I don't see why >>> we can't follow that model for PostgreSQL. >> >> If any/all users on the system can start & stop the MySQL SMF service, >> then I would consider this a very serious security bug. And so would >> ARC and our security teams (they'd have a fit!) >> >> But I'm still not sure if you're actually talking about a MySQL SMF >> service - you haven't qualified yet exactly how & what you do with >> MySQL & Apache. >> >> Please explain exactly how you manage MySQL, from what username, what >> privileges this user has. All commands from db creation to starting & >> stopping the database. >> >>> >>> If we can't, then we are in the position Josh has brought up: MySQL >>> is easier to use on Solaris than PostgreSQL. That seems off. >>> >>> Thanks, >>> >>> David >>> >>> James Gates wrote: >>> >>>> > the MySQL and Apache services can be enabled by any user with >>>> certain >>>> > permissions. >>>> >>>> What do you mean by "services"? And what do you mean by "certain >>>> permissions"? Do you mean SMF services & RBAC profiles? >>>> >>>> The PostgreSQL SMF services can be managed by any user/role with the >>>> "solaris.smf.manage.postgres" & "solaris.smf.value.postgres" >>>> authorizations. Both of which are assigned to the "Postgres >>>> Administration" profile. >>>> >>>> So you just need to assign the "Postgres Administration" profile to >>>> the user(s) in /etc/user_attr that you want to manage the SMF >>>> services. Customers can do this easily *after* they're created their >>>> usernames. >>>> >>>> But think about what you're asking for!!!!!!!! What "other users" do >>>> you think we should allow to start PostgreSQL by default? We can't >>>> predict what non-default usernames the customer will have on their >>>> machines. So, unless we allow *all* users to start & stop postgres, >>>> the list of usernamess we can give these permissions to is >>>> restricted to the list of default users on Solaris: >>>> >>>> root >>>> daemon >>>> bin >>>> sys >>>> adm >>>> lp >>>> uucp >>>> nuucp >>>> dladm >>>> smmsp >>>> listen >>>> gdm >>>> webservd >>>> postgres >>>> nobody >>>> noaccess >>>> nobody4 >>>> >>>> I don't think giving any of these users permission to start & stop >>>> PostgreSQL is what you really had in mind? >>>> >>>> And allowing any username to start & stop your default PostgreSQL >>>> service is not a good idea! >>>> >>>> I think you need to qualify exactly what these MySQL & Apache >>>> services are, how they're started, and how the permission to do so >>>> is granted. >>>> >>>> Personally, I would expect developers who want to use PostgreSQL >>>> *not* to use or manage the default SMF services we've provided, but >>>> create their own i.e. run initdb & pg_ctl themselves. They probably >>>> don't want their database owned by "postgres" & stored in /var >>>> anyway. Being owned by user "postgres" creates problems connecting >>>> from other usernames, since there won't be equivalent usernames in >>>> the database. >>>> >>>> And if these developers want automatic startup & shutdown of their >>>> own services, they can implement their own SMF services (using our >>>> xml script as a template). >>>> >>>> >>>> Josh Berkus wrote: >>>> >>>>> Team, >>>>> >>>>> The Netbeans folks have brought up the discrepancy that on Nevada, >>>>> the PostgreSQL service can only be enabled by "root" or "postgres", >>>>> whereas the MySQL and Apache services can be enabled by any user >>>>> with certain permissions. I really don't want to get into a >>>>> situation where MySQL is "easier to use" on Solaris than >>>>> PostgreSQL. Can we take a look at the RBAC setup, or whatever is >>>>> necessary, to make the various Solaris freeware consistent? >>>>>
