feat: restrict access to postgres socket

fix: chown sock directory
fix: create sock directory if not existing
2026-02-24 13:37:10 +01:00 · 2026-02-23 00:16:05 +01:00 · 2026-02-23 00:05:14 +01:00 · 2026-02-22 22:57:20 +01:00 · 2026-02-22 22:42:53 +01:00 · 2026-02-22 22:35:06 +01:00
2 changed files with 21 additions and 11 deletions
--- a/files/postgres/postgresql.conf
+++ b/files/postgres/postgresql.conf
@@ -5,7 +5,7 @@
 #-------------------------------------------------------------------------------
 # Change pg_hba location
-hba_file = "/etc/postgres/pg_hba.conf"
+hba_file = '/etc/postgres/pg_hba.conf'
 #-------------------------------------------------------------------------------
@@ -16,7 +16,10 @@ hba_file = "/etc/postgres/pg_hba.conf"
 # Empty listen addresses to disable listening via TCP/IP
 # because we want only uni socket connections
-listen_addresses = ""
+listen_addresses = ''
 # Forbide access to users not in group postgres
 unix_socket_permissions = 0770
 #-------------------------------------------------------------------------------
@@ -26,4 +29,4 @@ listen_addresses = ""
 #-------------------------------------------------------------------------------
 # Redirect logs to stderr to be managed by journald
-log_destination = "stderr"
+log_destination = 'stderr'
--- a/netoik-db.spec
+++ b/netoik-db.spec
@@ -22,25 +22,32 @@ Install the database management system called postgresql with a predefined confi
 %make_install
 %post
 # Create sock directory if not existing
 mkdir --parents --mode 755 "%{_rundir}/postgresql"
 chown postgres:postgres "%{_rundir}/postgresql"
 # Restart services
 systemctl daemon-reload
 systemctl reenable postgresql.service
 systemctl restart postgresql.service
 # Create databases and users from DB_USERS variable (separator is ",") if not existing
 IFS="," read -ra users <<< "$DB_USERS";
 for user in "${users[@]}"; do
-  if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --invert-match postgres | grep --quiet "$user"; then
+  usermod --append --groups postgres "$user";
  if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --quiet "$user"; then
    runuser --user=postgres -- createuser "$user"
    runuser --user=postgres -- createdb --owner="$user" "$user"
  fi
 done 
 # Restart services
 systemctl daemon-reload
 systemctl reenable --now postgresql.service
 %files
-%attr(755, root, root) %{_sysconfdir}/postgres
+%dir %attr(755, root, root) %{_sysconfdir}/postgres
 %attr(644, root, root) %{_sysconfdir}/postgres/postgresql.conf
 %attr(644, root, root) %{_sysconfdir}/postgres/pg_hba.conf
 %dir %attr(755, root, root) %{_unitdir}/postgresql.service.d
 %attr(644, root, root) %{_unitdir}/postgresql.service.d/postgres.conf
 %changelog
 %autochangelog
Author	SHA1	Message	Date
samuel	6e7800721f	feat: restrict access to postgres socket Some checks failed Continuous Delivery / build_n_upload (push) Has been cancelled Details	2026-02-24 13:37:10 +01:00
samuel	fe30792dbf	fix: chown sock directory Some checks failed Continuous Delivery / build_n_upload (push) Has been cancelled Details	2026-02-23 00:16:05 +01:00
samuel	0483f61904	fix: create sock directory if not existing Some checks failed Continuous Delivery / build_n_upload (push) Has been cancelled Details	2026-02-23 00:05:14 +01:00
samuel	ac5a23350d	fix: add systemctl restart Some checks failed Continuous Delivery / build_n_upload (push) Has been cancelled Details	2026-02-22 22:57:20 +01:00
samuel	5870da6249	fix: create db users after service start Some checks failed Continuous Delivery / build_n_upload (push) Has been cancelled Details	2026-02-22 22:42:53 +01:00
samuel	5bf84b3719	fix: add drop-in directory in spec file Some checks failed Continuous Delivery / build_n_upload (push) Has been cancelled Details	2026-02-22 22:35:06 +01:00
samuel	c55e4199e8	fix: postgresql conf quotes Some checks failed Continuous Delivery / build_n_upload (push) Has been cancelled Details	2026-02-22 22:28:21 +01:00