From: Julien Moutinho Date: Sat, 30 Mar 2013 14:31:51 +0000 (+0100) Subject: Correction : vm_hosted : rule_postgresql_configure : sécurise. X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=commitdiff_plain;h=80909c24d0e4ca5061f3379852ac07b296760883 Correction : vm_hosted : rule_postgresql_configure : sécurise. --- diff --git a/etc/init.d/tmpfs b/etc/init.d/tmpfs index adae6f3..05370f0 100755 --- a/etc/init.d/tmpfs +++ b/etc/init.d/tmpfs @@ -55,6 +55,11 @@ do_start() { /run/mysqld \ /run/mysqld/sock + ! getent passwd postgres >/dev/null || + sudo install -d -m 1771 -o postgres -g postgres \ + /run/postgresql \ + /run/postgresql/sock + sudo install -d -m 1771 -o root -g root \ /run/spawn-fcgi fi diff --git a/etc/postgresql/9.1/main/postgresql.conf b/etc/postgresql/9.1/main/postgresql.conf index 2ecb1e8..e723641 100644 --- a/etc/postgresql/9.1/main/postgresql.conf +++ b/etc/postgresql/9.1/main/postgresql.conf @@ -1,41 +1,41 @@ -#archive_command = '' # command to use to archive a logfile segment -#archive_mode = off # allows archiving to be done -#archive_timeout = 0 # force a logfile segment switch after this +#archive_command = '' # command to use to archive a logfile segment +#archive_mode = off # allows archiving to be done +#archive_timeout = 0 # force a logfile segment switch after this #array_nulls = on -#authentication_timeout = 1min # 1s-600s -#autovacuum = on # Enable autovacuum subprocess? 'on' -#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze -#autovacuum_analyze_threshold = 50 # min number of row updates before -#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum -#autovacuum_max_workers = 3 # max number of autovacuum subprocesses -#autovacuum_naptime = 1min # time between autovacuum runs -#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for -#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for -#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum -#autovacuum_vacuum_threshold = 50 # min number of row updates before -#backslash_quote = safe_encoding # on, off, or safe_encoding -#bgwriter_delay = 200ms # 10-10000ms between rounds -#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round -#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round -#bonjour = off # advertise server via Bonjour -#bonjour_name = '' # defaults to the computer name -#bytea_output = 'hex' # hex, escape +#authentication_timeout = 1min # 1s-600s +#autovacuum = on # Enable autovacuum subprocess? 'on' +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_analyze_threshold = 50 # min number of row updates before +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_vacuum_threshold = 50 # min number of row updates before +#backslash_quote = safe_encoding # on, off, or safe_encoding +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round +bonjour = off # advertise server via Bonjour +#bonjour_name = '' # defaults to the computer name +#bytea_output = 'hex' # hex, escape #check_function_bodies = on -#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 -#checkpoint_segments = 3 # in logfile segments, min 1, 16MB each -#checkpoint_timeout = 5min # range 30s-1h -#checkpoint_warning = 30s # 0 disables -#client_encoding = sql_ascii # actually, defaults to database -#client_min_messages = notice # values in order of decreasing detail: -#commit_delay = 0 # range 0-100000, in microseconds -#commit_siblings = 5 # range 1-1000 -#constraint_exclusion = partition # on, off, or partition -#cpu_index_tuple_cost = 0.005 # same scale as above -#cpu_operator_cost = 0.0025 # same scale as above -#cpu_tuple_cost = 0.01 # same scale as above -#cursor_tuple_fraction = 0.1 # range 0.0-1.0 -#custom_variable_classes = '' # list of custom variable class names -data_directory = '/var/lib/postgresql/9.1/main' # use data in another directory +#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_segments = 3 # in logfile segments, min 1, 16MB each +#checkpoint_timeout = 5min # range 30s-1h +#checkpoint_warning = 30s # 0 disables +#client_encoding = sql_ascii # actually, defaults to database +#client_min_messages = notice # values in order of decreasing detail: +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 +#constraint_exclusion = partition # on, off, or partition +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#custom_variable_classes = '' # list of custom variable class names +data_directory = '/home/postgresql/data' # use data in another directory datestyle = 'iso, dmy' #db_user_namespace = off #deadlock_timeout = 1s @@ -43,8 +43,8 @@ datestyle = 'iso, dmy' #debug_print_parse = off #debug_print_plan = off #debug_print_rewritten = off -#default_statistics_target = 100 # range 1-10000 -#default_tablespace = '' # a tablespace name, '' uses the default +#default_statistics_target = 100 # range 1-10000 +#default_tablespace = '' # a tablespace name, '' uses the default default_text_search_config = 'pg_catalog.french' #default_transaction_deferrable = off #default_transaction_isolation = 'read committed' @@ -63,126 +63,126 @@ default_text_search_config = 'pg_catalog.french' #enable_sort = on #enable_tidscan = on #escape_string_warning = on -#exit_on_error = off # terminate session on any error? -external_pid_file = '/var/run/postgresql/9.1-main.pid' # write an extra PID file -#extra_float_digits = 0 # min -15, max 3 +#exit_on_error = off # terminate session on any error? +external_pid_file = '/run/postgresql/9.1-main.pid' # write an extra PID file +#extra_float_digits = 0 # min -15, max 3 #from_collapse_limit = 8 -#fsync = on # turns forced synchronization on or off -#full_page_writes = on # recover from partial page writes +#fsync = on # turns forced synchronization on or off +#full_page_writes = on # recover from partial page writes #geqo = on -#geqo_effort = 5 # range 1-10 -#geqo_generations = 0 # selects default based on effort -#geqo_pool_size = 0 # selects default based on effort -#geqo_seed = 0.0 # range 0.0-1.0 -#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_effort = 5 # range 1-10 +#geqo_generations = 0 # selects default based on effort +#geqo_pool_size = 0 # selects default based on effort +#geqo_seed = 0.0 # range 0.0-1.0 +#geqo_selection_bias = 2.0 # range 1.5-2.0 #geqo_threshold = 12 -hba_file = '/etc/postgresql/9.1/main/pg_hba.conf' # host-based authentication file -#hot_standby = off # "on" allows queries during recovery -#hot_standby_feedback = off # send info from standby to prevent -ident_file = '/etc/postgresql/9.1/main/pg_ident.conf' # ident configuration file +hba_file = '/etc/postgresql/9.1/main/pg_hba.conf' # host-based authentication file +#hot_standby = off # "on" allows queries during recovery +#hot_standby_feedback = off # send info from standby to prevent +ident_file = '/etc/postgresql/9.1/main/pg_ident.conf' # ident configuration file #intervalstyle = 'postgres' -#join_collapse_limit = 8 # 1 disables collapsing of explicit +#join_collapse_limit = 8 # 1 disables collapsing of explicit #krb_caseins_users = off #krb_server_keyfile = '' -#krb_srvname = 'postgres' # (Kerberos only) -lc_messages = 'fr_FR.utf8' # locale for system error message -lc_monetary = 'fr_FR.utf8' # locale for monetary formatting -lc_numeric = 'fr_FR.utf8' # locale for number formatting -lc_time = 'fr_FR.utf8' # locale for time formatting -#listen_addresses = 'localhost' # what IP address(es) to listen on; +#krb_srvname = 'postgres' # (Kerberos only) +lc_messages = 'fr_FR.utf8' # locale for system error message +lc_monetary = 'fr_FR.utf8' # locale for monetary formatting +lc_numeric = 'fr_FR.utf8' # locale for number formatting +lc_time = 'fr_FR.utf8' # locale for time formatting +#listen_addresses = 'localhost' # what IP address(es) to listen on; #lo_compat_privileges = off #local_preload_libraries = '' -#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and +#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and #log_checkpoints = off #log_connections = off -#log_destination = 'stderr' # Valid values are combinations of -#log_directory = 'pg_log' # directory where log files are written, +log_destination = 'stderr' +#log_directory = 'pg_log' # directory where log files are written, #log_disconnections = off #log_duration = off -#log_error_verbosity = default # terse, default, or verbose messages +#log_error_verbosity = default # terse, default, or verbose messages #log_executor_stats = off -#log_file_mode = 0600 # creation mode for log files, -#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, +#log_file_mode = 0600 # creation mode for log files, +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, #log_hostname = off -log_line_prefix = '%t ' # special values: -#log_lock_waits = off # log lock waits >= deadlock_timeout -#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements -#log_min_error_statement = error # values in order of decreasing detail: -#log_min_messages = warning # values in order of decreasing detail: +log_line_prefix = '%t ' # special values: +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements +#log_min_error_statement = error # values in order of decreasing detail: +#log_min_messages = warning # values in order of decreasing detail: #log_parser_stats = off #log_planner_stats = off -#log_rotation_age = 1d # Automatic rotation of logfiles will -#log_rotation_size = 10MB # Automatic rotation of logfiles will -#log_statement = 'none' # none, ddl, mod, all +#log_rotation_age = 1d # Automatic rotation of logfiles will +#log_rotation_size = 10MB # Automatic rotation of logfiles will +#log_statement = 'none' # none, ddl, mod, all #log_statement_stats = off -#log_temp_files = -1 # log temporary files equal or larger +#log_temp_files = -1 # log temporary files equal or larger #log_timezone = '(defaults to server environment setting)' -#log_truncate_on_rotation = off # If on, an existing log file with the -#logging_collector = off # Enable capturing of stderr and csvlog -#maintenance_work_mem = 16MB # min 1MB -max_connections = 100 # (change requires restart) -#max_files_per_process = 1000 # min 25 -#max_locks_per_transaction = 64 # min 10 -#max_pred_locks_per_transaction = 64 # min 10 -#max_prepared_transactions = 0 # zero disables the feature -#max_stack_depth = 2MB # min 100kB -#max_standby_archive_delay = 30s # max delay before canceling queries -#max_standby_streaming_delay = 30s # max delay before canceling queries -#max_wal_senders = 0 # max number of walsender processes -#password_encryption = on -port = 5432 # (change requires restart) +#log_truncate_on_rotation = off # If on, an existing log file with the +#logging_collector = off # Enable capturing of stderr and csvlog +#maintenance_work_mem = 16MB # min 1MB +max_connections = 100 # (change requires restart) +#max_files_per_process = 1000 # min 25 +#max_locks_per_transaction = 64 # min 10 +#max_pred_locks_per_transaction = 64 # min 10 +#max_prepared_transactions = 0 # zero disables the feature +#max_stack_depth = 2MB # min 100kB +#max_standby_archive_delay = 30s # max delay before canceling queries +#max_standby_streaming_delay = 30s # max delay before canceling queries +#max_wal_senders = 0 # max number of walsender processes +password_encryption = on +port = 5432 # (change requires restart) #quote_all_identifiers = off -#random_page_cost = 4.0 # same scale as above -#replication_timeout = 60s # in milliseconds; 0 disables -#restart_after_crash = on # reinitialize after backend crash? -#search_path = '"$user",public' # schema names -#seq_page_cost = 1.0 # measured on an arbitrary scale +#random_page_cost = 4.0 +#replication_timeout = 60s # in milliseconds; 0 disables +#restart_after_crash = on # reinitialize after backend crash? +#search_path = '"$user",public' # schema names +#seq_page_cost = 1.0 # measured on an arbitrary scale #session_replication_role = 'origin' -shared_buffers = 32MB # min 128kB -#shared_preload_libraries = '' # (change requires restart) -#silent_mode = off # Run server silently. +shared_buffers = 128MB # min 128kB +#shared_preload_libraries = '' # (change requires restart) +#silent_mode = off # Run server silently. #sql_inheritance = on -#ssl = off # (change requires restart) -#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers -#ssl_renegotiation_limit = 512MB # amount of data between renegotiations +ssl = off # (change requires restart) +#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers +#ssl_renegotiation_limit = 512MB # amount of data between renegotiations #standard_conforming_strings = on -#statement_timeout = 0 # in milliseconds, 0 is disabled +#statement_timeout = 0 # in milliseconds, 0 is disabled #stats_temp_directory = 'pg_stat_tmp' -#superuser_reserved_connections = 3 # (change requires restart) +#superuser_reserved_connections = 3 # (change requires restart) #synchronize_seqscans = on -#synchronous_commit = on # synchronization level; on, off, or local -#synchronous_standby_names = '' # standby servers that provide sync rep -#tcp_keepalives_count = 0 # TCP_KEEPCNT; -#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; -#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; -#temp_buffers = 8MB # min 800kB -#temp_tablespaces = '' # a list of tablespace names, '' uses +#synchronous_commit = on # synchronization level; on, off, or local +#synchronous_standby_names = '' # standby servers that provide sync rep +#tcp_keepalives_count = 0 # TCP_KEEPCNT; +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; +#temp_buffers = 8MB # min 800kB +#temp_tablespaces = '' # a list of tablespace names, '' uses #timezone = '(defaults to server environment setting)' #timezone_abbreviations = 'Default' # Select the set of available time zone #track_activities = on -#track_activity_query_size = 1024 # (change requires restart) +#track_activity_query_size = 1024 # (change requires restart) #track_counts = on -#track_functions = none # none, pl, all +#track_functions = none # none, pl, all #transform_null_equals = off -unix_socket_directory = '/var/run/postgresql' # (change requires restart) -#unix_socket_group = '' # (change requires restart) -#unix_socket_permissions = 0777 # begin with 0 to use octal notation +unix_socket_directory = '/run/postgresql/sock' # (change requires restart) +unix_socket_group = 'postgres-data' # (change requires restart) +unix_socket_permissions = 0770 # begin with 0 to use octal notation #update_process_title = on -#vacuum_cost_delay = 0ms # 0-100 milliseconds -#vacuum_cost_limit = 200 # 1-10000 credits -#vacuum_cost_page_dirty = 20 # 0-10000 credits -#vacuum_cost_page_hit = 1 # 0-10000 credits -#vacuum_cost_page_miss = 10 # 0-10000 credits -#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed +#vacuum_cost_delay = 0ms # 0-100 milliseconds +#vacuum_cost_limit = 200 # 1-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 10 # 0-10000 credits +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed #vacuum_freeze_min_age = 50000000 #vacuum_freeze_table_age = 150000000 -#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers -#wal_keep_segments = 0 # in logfile segments, 16MB each; 0 disables -#wal_level = minimal # minimal, archive, or hot_standby -#wal_receiver_status_interval = 10s # send replies at least this often -#wal_sender_delay = 1s # walsender cycle time, 1-10000 milliseconds -#wal_sync_method = fsync # the default is the first option -#wal_writer_delay = 200ms # 1-10000 milliseconds -#work_mem = 1MB # min 64kB +#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers +#wal_keep_segments = 0 # in logfile segments, 16MB each; 0 disables +#wal_level = minimal # minimal, archive, or hot_standby +#wal_receiver_status_interval = 10s # send replies at least this often +#wal_sender_delay = 1s # walsender cycle time, 1-10000 milliseconds +#wal_sync_method = fsync # the default is the first option +#wal_writer_delay = 200ms # 1-10000 milliseconds +#work_mem = 1MB # min 64kB #xmlbinary = 'base64' #xmloption = 'content' diff --git a/etc/sv/postgres/configure.sh b/etc/sv/postgres/configure.sh new file mode 100644 index 0000000..165df68 --- /dev/null +++ b/etc/sv/postgres/configure.sh @@ -0,0 +1,9 @@ +rule adduser log-"$sv"\ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/postgresql/log/9.1/main \ + --shell /bin/false \ + --system +sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \ + /home/postgresql/log diff --git a/etc/sv/postgres/log/run b/etc/sv/postgres/log/run new file mode 100755 index 0000000..96866cb --- /dev/null +++ b/etc/sv/postgres/log/run @@ -0,0 +1,7 @@ +#!/bin/sh -eux +sv=${PWD%/log} +sv=${sv#/etc/sv/} +eval "home=~log-$sv" +cd "$home" +exec chpst -u log-"$sv":log-"$sv" \ + svlogd -v -tt "$home" diff --git a/etc/sv/postgres/run b/etc/sv/postgres/run new file mode 100755 index 0000000..d8eedca --- /dev/null +++ b/etc/sv/postgres/run @@ -0,0 +1,10 @@ +#!/bin/sh -eux +exec 2>&1 +sv=${PWD#/etc/sv/} +eval "home=~$sv" +exec /usr/bin/chpst \ + -u "$sv":"$sv":"$sv"-data \ + /usr/lib/postgresql/9.1/bin/postgres \ + -D "$home"/data \ + -e \ + -c config_file=/etc/postgresql/9.1/main/postgresql.conf diff --git a/vm_hosted b/vm_hosted index 806face..e8fd3c4 100755 --- a/vm_hosted +++ b/vm_hosted @@ -727,22 +727,31 @@ rule_mysql_configure () { /etc/mysql/my.cnf sudo install -d -m 751 -o mysql -g mysql \ /home/mysql + sudo rm -rf /etc/mysql + sudo install -d -m 750 -o mysql -g mysql \ + /etc/mysql \ + /home/mysql/etc + sudo ln -fns \ + /etc/mysql \ + /home/mysql/etc/mysql if sudo test ! -d /home/mysql/data then sudo install -d -m 750 -o mysql -g mysql-data \ /home/mysql/data sudo -u mysql mysql_install_db \ - --no-defaults \ - --datadir=/home/mysql/data + --datadir=/home/mysql/data \ + --no-defaults fi sudo service tmpfs restart + sudo insserv -r mysql case $(sudo sv status mysql || true) in (''|run:*|*"s, normally up;"*) sudo sv restart mysql case $(sudo inotifywait -e create -- /run/mysqld/sock/) in ("/run/mysqld/sock/ CREATE mysql") # NOTE: - # - ajoute l'accès par socket Unix à root + # - ajoute l'accès par socket Unix à mysql + # - ajoute les droits de super-utilisateur à mysql # - supprime l'accès par mot-de-passe à root # - supprime les bases de données de l'utilisateurice anonyme # - supprime l'utilisateurice anonyme @@ -753,8 +762,8 @@ rule_mysql_configure () { # DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1'); sudo mysql -u root --batch --verbose <<-EOF DELETE FROM mysql.user WHERE user = 'root' and plugin = ''; - GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED WITH auth_socket; - UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='root'; + GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket; + UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql'; DELETE FROM mysql.db WHERE user = ''; DELETE FROM mysql.user WHERE user = ''; FLUSH PRIVILEGES; @@ -764,7 +773,7 @@ rule_mysql_configure () { esac } rule_mysql_db_add () { # SYNTAX: $user $db - sudo mysql --batch -u root <<-EOF + sudo -u mysql mysql --batch <<-EOF DROP DATABASE IF EXISTS $db; CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci; GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket; @@ -772,8 +781,10 @@ rule_mysql_db_add () { # SYNTAX: $user $db EOF } rule_mysql_user_add () { # SYNTAX: $user - sudo mysql --batch -u root <<-EOF + sudo mysql -u mysql --batch <<-EOF || true DROP USER '$user'@'localhost'; + EOF + sudo mysql -u mysql --batch <<-EOF CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket; EOF } @@ -1144,14 +1155,117 @@ rule_postfix_configure () { sudo service postfix restart } rule_postgresql_configure () { + # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting rule apt_get_install postgresql-9.1 - if [ ! -d /var/lib/postgresql/9.1/ ]; then - pg_createcluster -u postgres --start 9.1 main - fi - sudo install -m 660 -o root -g root \ - "$tool"/etc/postgresql/9.1/main/postgresql.conf \ - /etc/postgresql/9.1/main/postgresql.conf - sudo service postgresql restart + rule adduser postgres \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/postgresql \ + --shell /bin/false \ + --system + rule adduser postgres-data \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/postgresql/data \ + --no-create-home \ + --shell /bin/false \ + --system + sudo usermod --home /home/postgresql postgres + sudo adduser postgres postgres-data + sudo rm -rf \ + /etc/postgresql + sudo install -d -m 750 -o postgres -g postgres \ + /home/postgresql \ + /home/postgresql/etc \ + /etc/postgresql \ + /etc/postgresql/9.1 \ + /etc/postgresql/9.1/main + sudo ln -fns \ + /etc/postgresql \ + /home/postgresql/etc/postgresql + sudo install -d -m 751 -o postgres -g postgres \ + /home/postgresql/log \ + /home/postgresql/log/9.1 + sudo service tmpfs restart + if sudo test ! -d /home/postgresql/data + then + sudo install -d -m 750 -o postgres -g postgres \ + /home/postgresql/data + ( + cd / + sudo -u postgres pg_createcluster \ + --datadir=/home/postgresql/data \ + --logfile=/home/postgresql/log/9.1/main \ + --socketdir=/run/postgresql/sock \ + --start 9.1 main + ) + fi + sudo install -m 770 -o postgres -g postgres /dev/stdin \ + /etc/postgresql/9.1/main/pg_hba.conf <<-EOF + local all postgres peer + local all all peer + EOF + sudo install -m 660 -o postgres -g postgres \ + "$tool"/etc/postgresql/9.1/main/postgresql.conf \ + /etc/postgresql/9.1/main/postgresql.conf + sudo insserv -r postgresql + case $(sudo sv status postgres || true) in + (''|run:*|*"s, normally up;"*) + sudo sv restart postgres + ( + cd / + case $(sudo inotifywait -e create -- /run/postgresql/sock/) in + ("/run/postgresql/sock/ CREATE .s.PGSQL."*) + # NOTE: + # - supprime l'accès au schéma public depuis public, + # de sorte à ce que les différents utilisateurices + # ne voient pas leurs bases de données entre-elleux ; + # - ajoute le support de PL/PGSQL + sudo -u postgres psql template1 -f - <<-EOF + REVOKE ALL ON DATABASE template1 FROM public; + REVOKE ALL ON SCHEMA public FROM public; + GRANT ALL ON SCHEMA public TO postgres; + CREATE LANGUAGE plpgsql; + EOF + # NOTE: + # - supprime l'accès à la liste des bases données + # et utilisateurices depuis public. + sudo -u postgres psql template1 -f - <<-EOF + REVOKE ALL ON pg_auth_members FROM public; + REVOKE ALL ON pg_authid FROM public; + REVOKE ALL ON pg_database FROM public; + REVOKE ALL ON pg_group FROM public; + REVOKE ALL ON pg_roles FROM public; + REVOKE ALL ON pg_settings FROM public; + REVOKE ALL ON pg_tablespace FROM public; + REVOKE ALL ON pg_user FROM public; + EOF + ;; + esac + ) + ;; + esac + } +rule_postgresql_db_add () { # SYNTAX: $db $db_user + local db="$1" db_user="$2" + sudo -u postgresql psql template1 -f - <<-EOF + CREATE ROLE $db NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN; + CREATE ROLE $db_user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED; + GRANT $db TO $db_user; + CREATE DATABASE $db WITH OWNER=$db_user; + REVOKE ALL ON DATABASE $db FROM public; + EOF + } +rule_postgresql_db_user_add () { # SYNTAX: $db $user + local db="$1" user="$2" + sudo -u postgresql psql template1 -f - <<-EOF + CREATE ROLE $user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED; + GRANT USAGE ON SCHEMA public TO $user; + GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user; + GRANT $db TO $user; + EOF } rule_openerp_configure () { sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF