movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-15 05:59:17 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/doc: document how to allow-list tablespaces

Browse source 
It was brought up that the restricted file-system access breaks
tablespaces[1]. I'd argue that this is the desired behavior, the whole
point of the hardening is the lock the service down and I don't consider
tablespaces common enough to elevate privileges again. Especially since
the workaround is trivial as shown in the diff.

For completeness sake, this adds the necessary `ReadWritePaths` change
to the postgresql section of the manual.

This also adds a small correction about the state of
`ensurePermissions`.

[1] https://github.com/NixOS/nixpkgs/pull/344925#issuecomment-2521188907
This commit is contained in:
Maximilian Bosch 2024-12-11 18:51:53 +01:00
parent 0d2883adc2
commit 51a6938a44
No known key found for this signature in database
1 changed files with 10 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

12
nixos/modules/services/databases/postgresql.md
View file

@ -45,9 +45,9 @@ By default, PostgreSQL stores its databases in {file}`/var/lib/postgresql/$psqlS
## Initializing {#module-services-postgres-initializing}
As of NixOS 23.11,
As of NixOS 24.05,
`services.postgresql.ensureUsers.*.ensurePermissions` has been
deprecated, after a change to default permissions in PostgreSQL 15
removed, after a change to default permissions in PostgreSQL 15
invalidated most of its previous use cases:
- In psql < 15, `ALL PRIVILEGES` used to include `CREATE TABLE`, where
@ -375,6 +375,14 @@ several common hardening options from `systemd`, most notably:
* A stricter default UMask (`0027`).
* Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed.
* Restricted filesystem access (private `/tmp`, most of the file-system hierachy is mounted read-only, only process directories in `/proc` that are owned by the same user).
* When using [`TABLESPACE`](https://www.postgresql.org/docs/current/manage-ag-tablespaces.html)s, make sure to add the filesystem paths to `ReadWritePaths` like this:
```nix
{
systemd.services.postgresql.serviceConfig.ReadWritePaths = [
"/path/to/tablespace/location"
];
}
```
The NixOS module also contains necessary adjustments for extensions from `nixpkgs`
if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks