This page in other versions: 9.0 / 9.1 / 9.2 / 9.3  |  Development versions: devel / 9.4  |  Unsupported versions: 7.1 / 7.2 / 7.3 / 7.4 / 8.0 / 8.1 / 8.2 / 8.3 / 8.4

Chapter 16. Operating System Environment

This chapter discusses how to set up and run the database server and its interactions with the operating system.

16.1. The PostgreSQL User Account

As with any other server daemon that is accessible to the outside world, it is advisable to run PostgreSQL under a separate user account. This user account should only own the data that is managed by the server, and should not be shared with other daemons. (For example, using the user nobody is a bad idea.) It is not advisable to install executables owned by this user because compromised systems could then modify their own binaries.

To add a Unix user account to your system, look for a command useradd or adduser. The user name postgres is often used, and is assumed throughout this book, but you can use another name if you like.

Comments


Feb. 22, 2006, 11:38 a.m.

Mac OS X does not have the useradd or adduser commands, since user management is taken care of by NetInfo. You can instead create a user account with the niutil command from the Terminal, or with the NetInfo Manager application. You will need sudo or root access to create the user account.

Although the manual does not mention groups, it is a good idea to give the user account its own group as well. This prevents any files in the database cluster with group write access from being modified by other users.

To create the user account and group from the Terminal, first find a user ID and group ID that are not in use. If the user ID is less than 500, the new account will not be listed in the OS X login screen, which is probably what you want. To find an unused user ID and group ID, type

# nireport / /users name uid
# nireport / /groups name gid

For example, assume user ID 210 and group ID 220 are not in use. To create the user account and group named postgres, use the following commands

# sudo niutil -create / /groups/postgres
# sudo niutil -createprop / /groups/postgres gid 220
# sudo niutil -create / /users/postgres
# sudo niutil -createprop / /users/postgres uid 210
# sudo niutil -createprop / /users/postgres gid 220
# sudo niutil -createprop / /users/postgres home /usr/local/pgsql
# sudo niutil -createprop / /users/postgres shell /bin/bash

The user account is now created. It is not given a password intentionally. This prevents anyone but root from logging in as postgres. To use the postgres user account, type

# sudo su - postgres

When the database cluster is initialised, you want the cluster to not only be owned by the postgres user, but also by the postgres group. Replace the chown line in Section 16.2 with

# chown postgres.postgres /usr/local/pgsql/data

This information is partially based on OpenACS documentation written by Vinod Kurup. (http://openacs.org/doc/current/postgres.html)


Oct. 12, 2006, 11:23 a.m.

Probably it's good to explicitely state that the user should belong to the group "daemon"?

-- Well, as far as this is really necessary. But I had permission denied errors on executing "initdb" on the data directory (also changed its owner as described earlier in doc). It repeated after assigning my user postgres to the group daemon.

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group