I see. PostgreSQL doesn't provide a (setuid?) script to do this, but it is still easily done for PostgreSQL with the command:
su - root -c 'usermod -P "Postgres Administration" <user>' (I suspect this is all your script does under the covers) This will prompt for the root password. When complete the named user will have the necessary authorization (profile) to manage all the PostgreSQL SMF services (start, stop, restart, etc.) I suppose we could put this command in a script for PostgreSQL developers who really know nothing about Solaris RBAC. Or just document it in a man page. But the fact still remains that if you do this for more than one user, then they could easily adversely affect each other - by default there is only *one* SMF service for an instance of PostgreSQL, which is potentialy shared by all database users. We have predefined a default instance for each of the different PostgreSQL versions available. Currently: postgresql:version_81 postgresql:version_82 Each instance can manage multiple databases. You don't want one user restarting version_82 when others are still using it to access other databases. Jignesh suggested having multiple SMF services (one for each user, each with their own PostgreSQL instance, managing their own databases). This is preferable, and worth pursuing. But I'm not sure how you can do this with SMF. As far as I'm aware the SMF service instances have to be predetermined. ludo wrote: > David Van Couvering wrote: > >> Given that we are in OpenSolaris, I think this discussion needs to be >> moved to the public aliases, so I'm taking it there. There are a lot >> of smart folks out there who I am sure can contribute their experience >> and knowledge to this discussion. >> >> We can't only serve the needs of the production/IT user at the cost of >> usability for the developer. "Secure by default" doesn't have to mean >> "PITA by default." So I appreciate Jignesh's attempt to find a >> solution - let's brainstorm here and see what we can come up with. >> >> Of course I don't want any TDH to be able to start the service. But I >> would like to understand how the webstack team has made it so easy to >> start the MySQL service, and why we can't do the same thing for >> PostgreSQL. >> >> If what the webstack team is doing is insecure, we should call that >> out, and figure out a more secure solution for all of us. But perhaps >> they have found a good compromise between security and usability. >> > The webstack has an script that can call on demand another script > running as root (so the user has to know the root password, or the root > user has to run this script for this user) to add the smf privileges to > start/stop/restart the services. > I see no security issue since at one point of time, the root user *has > to* do some processing and this processing of adding rights to a regular > user is under the full control of root user. If the regular user does > not have the root password, then the script cannot run. What is nice > about about this process is that it is run only once. It is basically an > optional extra installation step, for the users interested in using the > webstack. > > >> I am not sure about the user-generic SMF. It seems overly-complicated. >> >> I would be happy with a menu item Start PostgreSQL/Stop PostgreSQL and >> it prompts me for the root password - something like gksu. > > Which is we are doing for mySql. > >> >> I was also going to discuss with the OpenSolaris usability folks about >> creating a role like "Developer" that has all the rights set up that a >> developer needs (start/stop MySQL/Apache/PostgreSQL, etc.). Then at >> install time for SXDE we can ask if the installer wants to grant >> Developer rights to the user they are creating. What do you think >> about that as a longer-term solution? > > I already proposed that, but did not get a lot of traction... > SXDE was meant for a Developer, but at the end of an SXDE installation, > you end up with a root user (which a strong warning when you try to > login to the desktop that this should not be done) and a stupid user > that can run firefox or staroffice, but not really DEVELOP using the > SXDE services (apache, mysql, postgres, default GlassFish domain, etc). > Hence the need to setup script to enable a Developer profile for this > user (that I call Mister D). > > Ludo > >> >> Thanks, >> >> David >> >> Jignesh K. Shah wrote: >> >>> Yes I agree with James on allowing every TDH (Tom Dick Harry) access >>> to the SMF service. >>> >>> However there is a different way to achieve simplicity out here. >>> >>> I dont know yet how this can be done but if we have a "user" generic >>> SMF service where it uses the id of the calling user id , then it >>> allows each user to have their own "instance" of PostgreSQL server. >>> There is a bit of automation required specially for the "port". But I >>> see an advantage of this setup, we can have a very light weight >>> PostgreSQL server postgresql.conf that a user can start which will >>> create a small database in their home directory and also sets >>> environment varaibles (PGDATA and probably also the port) so when >>> they do psql it connects to user default setup unless mentioned >>> otherwise. >>> >>> It is not clean but having a quick script to set it up for users who >>> want it should be easy to provide. >>> Logic is simple.. if script is not executed, everything works as it >>> works now, however if it is executed, it setups up certain default >>> variables and creates a light weight (default) postgresql server that >>> they can use a generic SMF service specially designed for it. >>> >>> This way enterprise installations are still controlled by default >>> SMF, plus a user generic SMF service allows to create their own light >>> weight setup (which we think will have easy integration for netbeans >>> to identify and add it transparently for that user. >>> >>> This I think enables "developers" to be independent of the >>> "administrator" plus really isolates other postgresql developer) on >>> the same system. >>> >>> What do you think? >>> >>> Regards, >>> Jignesh >>> >>> >>> James Gates wrote: >>> >>>> David Van Couvering wrote: >>>> >>>>> Rather than get lost in the weeds of this kind of argument, I think >>>>> it's very simple: we should understand what we are doing for MySQL >>>>> and Apache, so that I as a non-root user can start the service >>>>> without having to go into RBAC to assign additional rights to the >>>>> user, and I'd like to understand why we can't do the same thing for >>>>> PostgreSQL. >>>>> >>>> >>>> Because it's a blatant security risk. The PostgreSQL SMF service >>>> runs as the "postgres" userid, and would typically manage all >>>> databases on the host (there is a 1 to many relationship between a >>>> PostgreSQL service and databases). >>>> >>>> We cannot allow a non-privileged user (who has nothing to do with >>>> database administration) to be able to shutdown the PostgreSQL service. >>>> >>>> By default only the "root" & "postgres" users can do this. The >>>> system administrator can allow other users to do the same by just >>>> assigning them the "Postgres Administration" profile in >>>> /etc/user_attr. It's not difficult, and is perfectly acceptable on a >>>> multi-user enterprise system. This is not MS Windows we're talking >>>> about! >>>> >>>> Quite frankly I'm surprised that you think this is anything other >>>> than correct behavior. Are you seriously suggesting we should allow >>>> *anyone* to shutdown an enterprise service that provides multiple >>>> databases to potentially thousands of clients/applications? >>>> >>>>> If what we are doing for MySQL and Apache is doing is broken, then >>>>> we should raise this as an issue. But assuming that what they are >>>>> doing is within the bounds of our security policies, then I don't >>>>> see why we can't follow that model for PostgreSQL. >>>> >>>> >>>> If any/all users on the system can start & stop the MySQL SMF >>>> service, then I would consider this a very serious security bug. And >>>> so would ARC and our security teams (they'd have a fit!) >>>> >>>> But I'm still not sure if you're actually talking about a MySQL SMF >>>> service - you haven't qualified yet exactly how & what you do with >>>> MySQL & Apache. >>>> >>>> Please explain exactly how you manage MySQL, from what username, >>>> what privileges this user has. All commands from db creation to >>>> starting & stopping the database. >>>> >>>>> >>>>> If we can't, then we are in the position Josh has brought up: MySQL >>>>> is easier to use on Solaris than PostgreSQL. That seems off. >>>>> >>>>> Thanks, >>>>> >>>>> David >>>>> >>>>> James Gates wrote: >>>>> >>>>>> > the MySQL and Apache services can be enabled by any user with >>>>>> certain >>>>>> > permissions. >>>>>> >>>>>> What do you mean by "services"? And what do you mean by "certain >>>>>> permissions"? Do you mean SMF services & RBAC profiles? >>>>>> >>>>>> The PostgreSQL SMF services can be managed by any user/role with >>>>>> the "solaris.smf.manage.postgres" & "solaris.smf.value.postgres" >>>>>> authorizations. Both of which are assigned to the "Postgres >>>>>> Administration" profile. >>>>>> >>>>>> So you just need to assign the "Postgres Administration" profile >>>>>> to the user(s) in /etc/user_attr that you want to manage the SMF >>>>>> services. Customers can do this easily *after* they're created >>>>>> their usernames. >>>>>> >>>>>> But think about what you're asking for!!!!!!!! What "other users" >>>>>> do you think we should allow to start PostgreSQL by default? We >>>>>> can't predict what non-default usernames the customer will have on >>>>>> their machines. So, unless we allow *all* users to start & stop >>>>>> postgres, the list of usernamess we can give these permissions to >>>>>> is restricted to the list of default users on Solaris: >>>>>> >>>>>> root >>>>>> daemon >>>>>> bin >>>>>> sys >>>>>> adm >>>>>> lp >>>>>> uucp >>>>>> nuucp >>>>>> dladm >>>>>> smmsp >>>>>> listen >>>>>> gdm >>>>>> webservd >>>>>> postgres >>>>>> nobody >>>>>> noaccess >>>>>> nobody4 >>>>>> >>>>>> I don't think giving any of these users permission to start & stop >>>>>> PostgreSQL is what you really had in mind? >>>>>> >>>>>> And allowing any username to start & stop your default PostgreSQL >>>>>> service is not a good idea! >>>>>> >>>>>> I think you need to qualify exactly what these MySQL & Apache >>>>>> services are, how they're started, and how the permission to do so >>>>>> is granted. >>>>>> >>>>>> Personally, I would expect developers who want to use PostgreSQL >>>>>> *not* to use or manage the default SMF services we've provided, >>>>>> but create their own i.e. run initdb & pg_ctl themselves. They >>>>>> probably don't want their database owned by "postgres" & stored in >>>>>> /var anyway. Being owned by user "postgres" creates problems >>>>>> connecting from other usernames, since there won't be equivalent >>>>>> usernames in the database. >>>>>> >>>>>> And if these developers want automatic startup & shutdown of their >>>>>> own services, they can implement their own SMF services (using our >>>>>> xml script as a template). >>>>>> >>>>>> >>>>>> Josh Berkus wrote: >>>>>> >>>>>>> Team, >>>>>>> >>>>>>> The Netbeans folks have brought up the discrepancy that on >>>>>>> Nevada, the PostgreSQL service can only be enabled by "root" or >>>>>>> "postgres", whereas the MySQL and Apache services can be enabled >>>>>>> by any user with certain permissions. I really don't want to get >>>>>>> into a situation where MySQL is "easier to use" on Solaris than >>>>>>> PostgreSQL. Can we take a look at the RBAC setup, or whatever is >>>>>>> necessary, to make the various Solaris freeware consistent? >>>>>>> >
