feat: restrict access to postgres socket

fix: chown sock directory
2026-02-24 13:37:10 +01:00 · 2026-02-23 00:16:05 +01:00
2 changed files with 7 additions and 3 deletions
--- a/files/postgres/postgresql.conf
+++ b/files/postgres/postgresql.conf
@@ -18,6 +18,9 @@ hba_file = '/etc/postgres/pg_hba.conf'
 # because we want only uni socket connections
 listen_addresses = ''
 # Forbide access to users not in group postgres
 unix_socket_permissions = 0770
 #-------------------------------------------------------------------------------
 # REPORTING AND LOGGING
--- a/netoik-db.spec
+++ b/netoik-db.spec
@@ -23,7 +23,8 @@ Install the database management system called postgresql with a predefined confi
 %post
 # Create sock directory if not existing
-mkdir --parents "%{_rundir}/postgresql"
+mkdir --parents --mode 755 "%{_rundir}/postgresql"
 chown postgres:postgres "%{_rundir}/postgresql"
 # Restart services
 systemctl daemon-reload
@@ -33,7 +34,8 @@ systemctl restart postgresql.service
 # Create databases and users from DB_USERS variable (separator is ",") if not existing
 IFS="," read -ra users <<< "$DB_USERS";
 for user in "${users[@]}"; do
-  if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --invert-match postgres | grep --quiet "$user"; then
+  usermod --append --groups postgres "$user";
  if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --quiet "$user"; then
    runuser --user=postgres -- createuser "$user"
    runuser --user=postgres -- createdb --owner="$user" "$user"
  fi
@@ -49,4 +51,3 @@ done
 %changelog
 %autochangelog
Author	SHA1	Message	Date
samuel	6e7800721f	feat: restrict access to postgres socket Some checks failed Continuous Delivery / build_n_upload (push) Has been cancelled Details	2026-02-24 13:37:10 +01:00
samuel	fe30792dbf	fix: chown sock directory Some checks failed Continuous Delivery / build_n_upload (push) Has been cancelled Details	2026-02-23 00:16:05 +01:00