From 6e7800721f07627654456b7b212971647b4bacce Mon Sep 17 00:00:00 2001
From: samuel <samuel.campos@netoik.io>
Date: Tue, 24 Feb 2026 13:37:10 +0100
Subject: [PATCH] feat: restrict access to postgres socket

---
 files/postgres/postgresql.conf | 3 +++
 netoik-db.spec                 | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/files/postgres/postgresql.conf b/files/postgres/postgresql.conf
index 07463f3..ec7b785 100644
--- a/files/postgres/postgresql.conf
+++ b/files/postgres/postgresql.conf
@@ -18,6 +18,9 @@ hba_file = '/etc/postgres/pg_hba.conf'
 # because we want only uni socket connections
 listen_addresses = ''
 
+# Forbide access to users not in group postgres
+unix_socket_permissions = 0770
+
 
 #-------------------------------------------------------------------------------
 # REPORTING AND LOGGING
diff --git a/netoik-db.spec b/netoik-db.spec
index a14f4d1..ee89982 100644
--- a/netoik-db.spec
+++ b/netoik-db.spec
@@ -34,7 +34,8 @@ systemctl restart postgresql.service
 # Create databases and users from DB_USERS variable (separator is ",") if not existing
 IFS="," read -ra users <<< "$DB_USERS";
 for user in "${users[@]}"; do
-  if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --invert-match postgres | grep --quiet "$user"; then
+  usermod --append --groups postgres "$user";
+  if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --quiet "$user"; then
     runuser --user=postgres -- createuser "$user"
     runuser --user=postgres -- createdb --owner="$user" "$user"
   fi
@@ -50,4 +51,3 @@ done
 
 %changelog
 %autochangelog
-