feat: restrict access to postgres socket

files/postgres/postgresql.conf

@@ -18,6 +18,9 @@ hba_file = '/etc/postgres/pg_hba.conf'
 # because we want only uni socket connections
 listen_addresses = ''
 
+# Forbide access to users not in group postgres
+unix_socket_permissions = 0770
+
 
 #-------------------------------------------------------------------------------
 # REPORTING AND LOGGING

netoik-db.spec

@@ -22,19 +22,25 @@ Install the database management system called postgresql with a predefined confi
 %make_install
 
 %post
+# Create sock directory if not existing
+mkdir --parents --mode 755 "%{_rundir}/postgresql"
+chown postgres:postgres "%{_rundir}/postgresql"
+
+# Restart services
+systemctl daemon-reload
+systemctl reenable postgresql.service
+systemctl restart postgresql.service
+
 # Create databases and users from DB_USERS variable (separator is ",") if not existing
 IFS="," read -ra users <<< "$DB_USERS";
 for user in "${users[@]}"; do
-  if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --invert-match postgres | grep --quiet "$user"; then
+  usermod --append --groups postgres "$user";
+  if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --quiet "$user"; then
     runuser --user=postgres -- createuser "$user"
     runuser --user=postgres -- createdb --owner="$user" "$user"
   fi
 done 
 
-# Restart services
-systemctl daemon-reload
-systemctl reenable --now postgresql.service
-
 %files
 %dir %attr(755, root, root) %{_sysconfdir}/postgres
 %attr(644, root, root) %{_sysconfdir}/postgres/postgresql.conf
@@ -45,4 +51,3 @@ systemctl reenable --now postgresql.service
 
 %changelog
 %autochangelog
-